A remote code execution (RCE) vulnerability dubbed “Spring4Shell” (CVE-2022-22965) has been made public on Twitter by an unknown user.
The proof of concept provided in those since-deleted Tweets demonstrates an exploit for a vulnerability in the Spring framework for Java.
It appears to affect services running Spring on Java 9 or newer, particularly those running Apache Tomcat.
LunaSec has an in-depth write-up analyzing the vulnerability and providing various mitigation methods in their blog post.
It is highly recommended that users with Apache Tomcat servers configured with the Spring Framework to update to versions 5.3.18 and 5.2.20 or greater.
Addigy is not impacted by this vulnerability as it does not use Java or Tomcat in its infrastructure.
We will be closely monitoring the situation and will provide updates as needed.
Addigy Security Team