Spring Framework remote code execution [CVE-2022-22965]
CVE number = CVE-2022-22965
Spring Framework could allow a remote attacker to execute arbitrary code on the system, caused by the improper handling of PropertyDescriptor objects used with data binding. By sending specially-crafted data to a Spring Java application, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Note: The exploit requires Spring Framework to be run on Tomcat as a WAR deployment with JDK 9 or higher using spring-webmvc or spring-webflux.
Note: This vulnerability is also known as Spring4Shell or SpringShell.
Resolution
Upgrade to the latest version of Spring Framework (5.3.18, 5.2.20 or later), available from the Spring Blog, March 31, 2022.
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.