Home
/
/
Spring4Shell Update – April 2022

Spring4Shell Update – April 2022

  • February 3, 2025
Just in case ProxyShell, ProxyLogon, Log4Shell, and Chrome 0Days just weren’t exciting enough, we now have Spring4Shell. Java is the gift that keeps on giving.

Share

Just in case ProxyShell, ProxyLogon, Log4Shell, and Chrome 0Days just weren’t exciting enough, we now have Spring4Shell. Java is the gift that keeps on giving.

Spring4Shell is a Remote Code Execution (RCE) vulnerability that is currently being exploited in the wild. The RCE is found in the Spring Framework which is an open-source framework used in Java applications (typically enterprise apps). Spring4Shell is rated a CVSS 9.8 due to the wide use of the framework and severity of the vulnerability.

Here is the good news, Spring4Shell does not appear to be as prevalent as Log4Shell as there are a few non-default dependencies that need to exist for exploitation. Couple that with the fact that the exploit code is not a simple one-liner, and we can all take a collective to exhale.

Most vulnerable configurations were set up with the following dependencies:

  • Apache Tomcat (with WAR file deployed)
  • Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
  • Spring-webmvc/Spring-webflux

Most vulnerable configurations were set up with the following dependencies:

  • Apache Tomcat as the Servlet container – Tomcat provides a pure Java HTTP web server environment in which Java code can run.
  • Spring Framework before 5.2.20, 5.3.18, and JDK version 9 or higher
  • Spring-webmvc/Spring-webflux
  • Packaged using the WAR (Web Application Resource) file format (as opposed to using JAR, the default format)

Spring has released patches with details available here. https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement. We recommend upgrading Spring Framework past 5.2.20 and 5.3.18 and upgrading Spring Boot past versions 2.6.6 and 2.5.12

Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We’re Here To Help!

We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!

Subscribe to Our Newsletter

Related Topics

Assessor Spotlight

(2)

Cloud Security

(1)

Compliance and Regulations

(3)

Employee Spotlight

(1)

Managed Security

(1)

Network Security

(1)

PCI Compliance

(3)

Penetration Testing

(1)

Security & Compliance

(58)

Security Operations

(1)

ON WATCH, ALL THE TIME

Featured Articles

Compliance and Regulations

P2PE vs E2EE: Common Pitfalls and Deployments

Point-to-Point Encryption (P2PE) in the payment card industry involves deploying a recognized solution by the PCI council, where hardware, processes, and technology undergo rigorous testing against the current P2PE Standard v3.1 or earlier versions. The P2PE standard combines a recognized and certified PTS device with software and encryption methods to allow cardholder data to be encrypted upon swipe and transmitted encrypted throughout the merchant environment until decrypted within a decryption environment, inaccessible to the merchant.
Learn More
Compliance and Regulations

2025 PCI Compliance Checklist

In today’s rapidly evolving cybersecurity landscape, achieving and maintaining PCI compliance is more critical than ever. With the latest update to PCI DSS 4.0.1, businesses must adapt to meet new standards designed to enhance security and flexibility. This updated PCI Compliance Checklist outlines the essential steps for staying compliant while optimizing your organization’s security posture.
Learn More
Cloud Security

PCI Data Security Standard Myths

As with many things in popular culture, the PCI Data Security Standard (PCI DSS) has many myths associated with it. The PCI DSS has existed for many years and despite the efforts of the PCI Security Standards Council (PCI SSC) and industry experts, many misconceptions and myths persist. Below we will cover some common PCI DSS myths vs. the reality.
Learn More
Compliance and Regulations

Understanding Scope for PCI DSS

Learn More
Employee Spotlight

Get Prepared For PCI DSS v4.0

The PCI DSS standard is largely responsible for dictating the way organizations all over the world approach cybersecurity and the protection of credit card data. As v4.0 of the standard approaches, organizations should aim to identify and plan updates for the aspects of their security and compliance programs that are most likely to be affected.
Learn More
Managed Security

How your Remote Workforce impacts PCI DSS Compliance

Employees of companies of all sizes are now either required to shelter in place or State and Government lock-downs are forcing companies to require their employees to work remotely. How will this impact your PCI-DSS Compliance?
Learn More

MegaplanIT

Services

Resources

Contact

18700 N Hayden Rd #340, Scottsdale, AZ 85255

800-891-1634

[email protected]

Open 24/7/365 days

If you have a security or compliance emergency, contact us immediately.

MEGAPLANIT HOLDINGS, LLC. © 2025 | ALL RIGHTS RESERVED.

PRIVACY POLICY