Introducing: Spring4Shell Resource Center

Hi Sonatype Community,

As you likely saw in our Sonatype Community announcement last week, news broke on March 30, 2022, of a new vulnerability, dubbed "Springshell / Spring4shell,” a critical Remote Code Execution (RCE) flaw.

Sonatype deep-dive data research confirmed that this serious vulnerability affects the popular spring-beans and spring artifacts. Although critical, fortunately it exists under the following non-standard configuration conditions (as most Spring apps now use Spring Boot):

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

Spring has acknowledged the vulnerability and released 5.3.18 and 5.2.20 to patch the issue as well as version 2.6.6 for spring-boot. We recommend an immediate upgrade for all users.

Unsure if your organization is impacted? See our Find & Fix Springshell guide for help as you investigate your applications and environments for this vulnerability.

We’re also proud to introduce the Spring4Shell Resource Center to help interested parties track how the world is adopting these new fixes. Please visit the resource center to find a range of resources to describe and resolve the critical software vulnerabilities in the Spring Framework.

Please also note that Sonatype applications are NOT affected by this vulnerability, and we’ve updated the previous Community post to reflect that.

If you have any additional questions, we are happy to answer them in the thread below.

For continuing updates and additional information, please visit this Sonatype blog post.