Tracked as CVE-2022-22965, the vulnerability dubbed Spring4Shell impacts the Spring Framework, the most popular Java application development framework in the world, and could lead to the execution of code remotely. Security researchers have already observed attempts to exploit the flaw in the wild. SAP published three Spring4Shell-related security notes, all rated “Hot News,” the highest rating in the company’s books, two of which address CVE-2022-22965 in HANA Extended Application Service and Customer Checkout. The third note, however, is a central note for Spring4Shell, which suggests that SAP expects the impact from this vulnerability to be wider.
Organizations that use SAP software should apply the patches released by SAP as soon as possible to remediate this remote code execution vulnerability. In addition to specific SAP software, updating to the patched versions of the Spring framework across all Java applications is critical. Due to the widespread deployment of the Spring framework, large scale attacks may take advantage of unpatched systems.