Vulnerability DatabaseCVE-2022-22965

CVE-2022-22965:
Oracle WebLogic Server vulnerability analysis and mitigation

Overview

Spring Framework vulnerability (CVE-2022-22965) is a critical remote code execution (RCE) vulnerability that affects Spring MVC and Spring WebFlux applications running on JDK 9+ via data binding. The vulnerability was discovered and reported to VMware on March 31, 2022, by codeplutos and meizjm3i of AntGroup FG Security Lab, with a secondary report from Praetorian (Spring Security, NVD).

Technical details

The vulnerability exists in Spring Framework versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19. It specifically requires the following conditions: JDK 9 or higher, Apache Tomcat as the Servlet container, application packaged as WAR, and spring-webmvc or spring-webflux dependency. The vulnerability occurs when special objects or classes are exposed under certain conditions during data binding, allowing attackers to access and manipulate class objects through property chains. The vulnerability has a CVSS v3.1 base score of 9.8 (Critical) (Spring Security, NVD).

Impact

A successful exploitation allows remote attackers to execute arbitrary code on vulnerable systems with the privileges of the affected application. If the application is deployed as a Spring Boot executable jar (the default), it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it (Spring Security).

Mitigation and workarounds

The primary mitigation is to upgrade to Spring Framework versions 5.3.18+ or 5.2.20+. For applications that cannot upgrade, alternative mitigations include: upgrading to Apache Tomcat versions 10.0.20, 9.0.62, or 8.5.78, downgrading to Java 8, or implementing a disallowedFields property in WebDataBinder to block dangerous class property access (Spring Security).

Community reactions

The vulnerability gained significant attention in the cybersecurity community, being dubbed "Spring4Shell". Multiple security vendors and researchers published analyses and detection methods. Organizations like Cisco, VMware, and other major vendors quickly released security advisories and patches for their affected products (Cisco Advisory).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

9.8

Score

Published April 1, 2022

Severity CRITICAL

CNA Score 9.8

Affected Technologies

Oracle WebLogic Server
Apache Tomcat

Has Public Exploit Yes

Has CISA KEV Exploit Yes

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 100

Exploitation Probability (EPSS) 94.5

Affected packages and libraries

cpe:2.3:a:oracle:communications_cloud_native_core_network_exposure_function
cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function

Sources

Debian Security Tracker
- Debian 11, 12 Severity LOWNo FixAdded at: Apr 01, 2022
- Debian 13 Severity LOWNo FixAdded at: Jun 11, 2023
GitHub Advisory Database
- Maven Severity CRITICALHas FixAdded at: Mar 31, 2022
Ubuntu Security Tracker
- Ubuntu 18.04, 20.04, 22.04, 24.04, 24.10 Severity HIGHHas FixAdded at: Dec 17, 2024
- Ubuntu 25.04 Severity HIGHHas FixAdded at: May 08, 2025
NVD
- Linux Severity CRITICALHas FixAdded at: Feb 09, 2023
- Windows Severity CRITICALHas FixAdded at: May 11, 2022