Threat Advisory


April 1, 2022 | By Accorian


Spring has announced a new zero-day weaknesses in the Spring core java framework; an RCE (Remote Code Execution) on an unauthenticated system. Spring is an open-source application framework that provides infrastructure hold up for creating Java applications that can be deployed on servers as discrete packages. Approximately, 70 percent of all Java applications use it – hence, any critical vulnerability identified in spring has a massive impact.

Currently, 2 Remote code execution issues have been confirmed: 

  1. CVE-2022-22965 – On March 29, 2022, a Chinese researcher posted on his Twitter account a POC of Remote Code Execution vulnerability on the Spring Core Java library. It has been named “Spring4Shell” and has been confirmed in Spring Core <=5.3.17 and <=5.2.19 by several sources that leverage class injection. The impact identified is severe. Patches are now available for Spring4Shell in Spring versions 5.3.18 and 5.2.20.
  1. CVE-2022-22963 – In CVE-2022-22963, the spring cloud function permits the HTTP request header parameter and SpEL expression to be injected and executed through StandardEvaluationContext. This vulnerability has been confirmed in Spring Cloud Function <=3.1.6 and <=3.2.2. Patches are now available for this CVE in Spring Cloud Function versions 3.1.7 and 3.2.2. 

Engineers and Spring admins should prioritize deploying these security updates as soon as possible because according to Will Dormann, a vulnerability analyst, even the sample codes available on are vulnerable, and plenty of developers use the codes as a template for their applications. 

Accorian is continuously monitoring the situation and can aid in identifying the vulnerabilities in your infrastructure. Kindly reach out to us.  

Recent Post

    Ready to Start?

    Shukla CPA, d.b.a Accorian Assurance is a licensed, certified public accounting firm registered with the American Institute of Pubic Accountants (AICPA) and the Public Company Accounting Oversight Board (PCAOB). Esha IT Corp d.b.a Accorian is a global leader in cybersecurity and compliance professional services.

    © 2023 Accorian. All Rights Reserved.

      Ready to Start?

      Download Case study

      Download SOC2 Guide

      Human Resources Director

      Posted On: 09 May, 2022

      Drop your CVs to

        Interested Position
        First Name
        Last Name
        Total Experience
        Mobile Number
        Upload Resume