Critical Vulnerability in Spring Core: CVE-2022-22965 a.k.a. Spring4Shell

A critical vulnerability known as Spring4Shell (CVE-2022-22965) has been identified in the popular Java framework Spring Core on JDK9+, which allows remote code execution (RCE) by exploiting class injection vulnerabilities, potentially leading to a complete system compromise. This vulnerability affects versions 5.3.0 to 5.3.17 and 5.2.0 to 5.2.19, including older unsupported versions, and requires certain conditions to be met, such as using JDK 9 or higher, Apache Tomcat, and specific dependencies. The vulnerability is distinct from CVE-2022-22963, which impacts Spring Cloud. To mitigate the risk, affected systems should be updated to versions 5.3.18+ or 5.2.20+, and detection can be achieved using tools like Sysdig for scanning during the build, deployment, and runtime phases. The article emphasizes the importance of continuous monitoring and adapting security policies to address emerging threats in real-time.