Spring4Shell extends to Glassfish and Payara: same vulnerability, new exploit

The discovery of Spring4Shell, a remote code execution (RCE) vulnerability in older versions of the spring-beans package, has led to the creation of exploits for Glassfish and Payara servers, which leverage the same issue. These new exploits demonstrate that the vulnerability is not specific to Tomcat and can be used on different application servers. The most important lesson is that updating the spring-beans package to version 5.3.18 or 5.2.20 or beyond will solve this vulnerability regardless of the application being used. Snyk's Security Research team has identified the available attributes in specific application servers that are writable, and one of these properties can be used to set the root directory for an exploit, allowing access to files normally not available on the system.