Spring Framework RCE Vulnerability With War File Deployments on Tomcat

Home » Blog » Software » Enterprise Software » Spring Framework RCE Vulnerability With War File Deployments on Tomcat

Yesterday, an RCE vulnerability in the Spring Framework has been announced:
Spring Framework RCE, Early Announcement
CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

While, as of now, only WAR deployments of Spring Boot applications running under Apache Tomcat seem to be affected, it is still recommended to upgrade to Spring Boot 2.6.6 as soon as possible, even for Spring-based applications deployed as a JAR, because “the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet”:

Spring Boot 2.6.6 available now

So, in case you’re deploying Spring Boot or Spring-based applications using WAR files, an immediate upgrade to Spring Boot 2.6.6 / Spring Framework 5.3.18 is highly recommended.

If your Spring-based applications are deployed via JAR files, you’re probably safe for now, but upgrading Spring Boot and Spring Framework dependencies as soon as possible would still be advisable.

About the author: Bjoern
Independent IT consultant, entrepreneur

Leave a Comment