Last week, security researchers found a critical vulnerability in the popular Java framework, Spring. Many security researchers over the past week have released Proof-of-Concept (POC) exploits for the vulnerability in various forms of the Spring framework, accelerating the need for a patch. Spring4Shell, officially tracked as CVE-2022-22965, is a remote code execution vulnerability with a severity score of 9.8 out of 10. This means that anyone with access to a vulnerable application could execute arbitrary code on the system housing that application.

Specifically, the critical vulnerability affects Spring MVC and Spring WebFlux applications running JDK version 9 and above and is actively being exploited on these applications. The exploit for the vulnerability requires that the application be running on Tomcat as a WAR deployment. VMware has published security updates for this vulnerability for the following applications:

• Spring Framework 5.3.18 and Spring Framework 5.2.20
• Spring Boot 2.5.12
• Spring Boot 2.6.6 (not yet released)

VMware has also reviewed its own product portfolio, and in the ongoing investigation have indicated the following impacted applications:

• VMware Tanzu Application Service for VMs: versions 2.20-2.13 (patch released)
• VMware Tanzu Operations Manager: versions 2.8-2.9 (patch released)
• VMware Tanzu Kubernetes Grid Integrated Edition (TKGI): versions 1.11-1.13 (no patch released)