Threat Advisory


April 1, 2022 | By Accorian


Spring has announced a new zero-day weaknesses in the Spring core java framework; an RCE (Remote Code Execution) on an unauthenticated system. Spring is an open-source application framework that provides infrastructure hold up for creating Java applications that can be deployed on servers as discrete packages. Approximately, 70 percent of all Java applications use it – hence, any critical vulnerability identified in spring has a massive impact.

Currently, 2 Remote code execution issues have been confirmed: 

  1. CVE-2022-22965 – On March 29, 2022, a Chinese researcher posted on his Twitter account a POC of Remote Code Execution vulnerability on the Spring Core Java library. It has been named “Spring4Shell” and has been confirmed in Spring Core <=5.3.17 and <=5.2.19 by several sources that leverage class injection. The impact identified is severe. Patches are now available for Spring4Shell in Spring versions 5.3.18 and 5.2.20.
  1. CVE-2022-22963 – In CVE-2022-22963, the spring cloud function permits the HTTP request header parameter and SpEL expression to be injected and executed through StandardEvaluationContext. This vulnerability has been confirmed in Spring Cloud Function <=3.1.6 and <=3.2.2. Patches are now available for this CVE in Spring Cloud Function versions 3.1.7 and 3.2.2. 

Engineers and Spring admins should prioritize deploying these security updates as soon as possible because according to Will Dormann, a vulnerability analyst, even the sample codes available on are vulnerable, and plenty of developers use the codes as a template for their applications. 

Accorian is continuously monitoring the situation and can aid in identifying the vulnerabilities in your infrastructure. Kindly reach out to us.  

Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide