April 2022

The worldwide JAVA community went bonkers last week!

It all started when a Chinese security researcher leaked a proof-of-concept (PoC) 0-day exploit before deleting its Twitter account helloexp.

The vulnerability is a 0-day exploit in the Spring Core Java framework, “Spring4Shell.” Just like Log4shell, with a potential to “destroy all internet.”


Despite the fact that Spring developers added CVE-2022-22965 on March 31st. The danger is still there. Don’t panic, we have a secret plan to keep your Java scripts secured. 

So, this post is going to summarize the scope of vulnerability so far? How can you save yourself? Also, what to expect in the coming days.

So let’s begin with a short crisp overview.

What’s Actually Happened?

Spring4shell was released as a zero-day exploit (attacker attacks the software vulnerability unknown to the manufacturer). It was quickly recognized as a bypass of patch CVE-2010-1622- vulnerability found in earlier versions of Spring Frameworks. This allowed the attackers to obtain remote control execution (RCE)-attacker can control the computing device remotely.

Here, the vulnerability allows the attacker to upload a “web shell” ( a piece of code that accepts commands from the attacker that the webserver is then tricked into executing) to the vulnerable server. In short, achieving remote command execution.

Why is Spring Framework that Important?

Spring Framework is a Java platform that gives a comprehensive infrastructure for developing Java applications. Let’s first understand Spring MVC for deeper vulnerability knowledge. 

Spring MVC ( Model-View-Controller) is part of the Spring Framework which makes it easy to develop web apps following the MVC design pattern. 

One of its key features involves automatically copying and populating objects of a specified class upon the endpoint request. In simple terms, this could be abused to overwrite the important attributes of the parent class, resulting in remote code execution. 

 To explain it in detail the Spring4shell vulnerability forces the application to write a malicious .jsp file (a Java document used to create a webpage).  Effectively consisting of plain text  JAVA which Tomcat can execute- (in a similar manner PHP server would execute files with a .php extension) to the webserver.   This web shell can then be executed to attain remote command execution over the target.


  • An RCE in Spring Core– Spring4Shell

The fact that this vulnerability can cause the parent framework to write malicious code makes it dangerous. So vulnerable to an RCE  attack. 

First things first, we recommend all the users apply the mitigations stated later in this blog.

☠️ Alert!!! There is an unconfirmed deserialization weakness in Spring Core that can potentially lead to an RCE for Spring Core <=5.3.17

  • RCE in “Spring Cloud Function” 

If you are a  user of the Spring Cloud Function library, you must immediately upgrade to 3.1.7+ or 3.2.3+ to fend yourself off from an RCE attack.

☠️Alert!!! A confirmed RCE in Spring Cloud Function (<=3.1.6 and <=3.2.2).

We recommend all Spring users to update, starting from those using TomCat.

The most important question of all is… Are you vulnerable?

Am I vulnerable?⚠️ If yes, how can I block the threat?  myself?

Well,  we bet if you are:

  • Running on JDK 9 or higher
  • Using old versions such as 5.3.0 to 5.3.17, and 5.2.0 to 5.2.19
  • Dependency on Spring-webflux or spring-webmvc 
  • Apache Tomcat as Servlet container

RememberTo fight your bug, you should know your bug 

So, let’s get deeper and reveal how to kill that bug: 

Simple Workarounds :

Quick version upgrading may be impossible for some. For this, Spring has suggested some speedy workarounds listed below:

  • Demote to Java 8 
  • Disallowed Fields
  • Upgrading Tomcat

It is noteworthy that these workarounds are essential to shield your java framework against vulnerability security that is always achieved from the depths of the problem. 👍.To assess your mobile app vulnerability deeply click here to get a consultation from our security experts.

Let’s run into the details.

  1. Demote to Java 8

If you can neither upgrade Apache Tomcat nor Spring Framework, then downgrading to Java 8 is your best option.

2.Disallowed Fields

Another possible viable solution is to disable binding to a particular field by setting disallowedFields on WebDataBinder  globally



public class BinderControllerAdvice {


    public void setAllowedFields(WebDataBinder dataBinder) {

         String[] denylist = new String[]{“class.*”, “Class.*”, “*.class.*”, “*.Class.*”};




For applying it without any loophole, applications could extend RequestMappingHandlerAdapter to update WebDataBinder at the end after all other initialization. 

To do that, a Spring Boot application can declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations bean (Spring WebFlux).

For instance in Spring MVC or similar in WebFlux:


package car.app;

import java.util.ArrayList;

import java.util.Arrays;

import java.util.List;

import org.springframework.boot.SpringApplication;

import org.springframework.boot.autoconfigure.SpringBootApplication;

import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations;

import org.springframework.context.annotation.Bean;

import org.springframework.web.bind.ServletRequestDataBinder;

import org.springframework.web.context.request.NativeWebRequest;

import org.springframework.web.method.annotation.InitBinderDataBinderFactory;

import org.springframework.web.method.support.InvocableHandlerMethod;

import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;

import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory;


public class MyApp {

public static void main(String[] args) {

SpringApplication.run(CarApp.class, args);



public WebMvcRegistrations mvcRegistrations() {

return new WebMvcRegistrations() {


public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {

return new ExtendedRequestMappingHandlerAdapter();




private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {


protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {

return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {


protected ServletRequestDataBinder createBinderInstance(

Object target, String name, NativeWebRequest request) throws Exception {

ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);

String[] fields = binder.getDisallowedFields();

List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());

fieldList.addAll(Arrays.asList(“class.*”, “Class.*”, “*.class.*”, “*.Class.*”));

binder.setDisallowedFields(fieldList.toArray(new String[] {}));

return binder;






3. Upgrade the TomCat

Upgrading to Apache Tomcat 10.0.20 or 8.5.78 gives adequate protection. 

How are we dealing with Spring4shell?

The Spring Framework with major fixes i.e.,  5.3.18 and 5.2.20 has been released. The Spring Framework 5.3.18. includes Spring Boot 2.6.6 and 2.5.12 updates. 

You must upgrade your application and apply relevant mitigation measures. 

Currently, Spring4shell is less vulnerable in contrast to the Log4Shell mainly because of the mitigation measures available. On the contrary, researchers are warning that if stakeholders fail to take necessary measures to omit RCE bugs, the Java world may become the Next Log4Shell.

ARFASOFTECH – All Prepared to Rescue You!

Last year Log4j and this year Spring4shell. It seems like these exploits are not going to stop, but don’t worry, ARFASOFTECH got your back. Our cybersecurity experts are always geared to block cyber-attacks and help you mitigate any security threats.

ARFASOFTECH's cybersecurity specialists are available 24/7/365 to assist you in

  • Detecting security loopholes and suggesting threat mitigation solutions
  • Offering in-depth product QA to increase safety and minimize errors
  • Monitoring your network traffic to avoid cyber espionage and hack attempts 

Let’s ensure bulletproof cybersecurity for your Java projects, so your success never delays while your security stays intact.

Click to get Free consultation

We are sure, you are grave-serious for your business’ security and privacy policy!


Fahad Ali, Author

Fahad is PM at ARFASOFTECH but has a knack for writing. He enjoys writing about the latest technologies and evolving trends. Most of his writings revolve around trending technologies and their integration into operations.

Comments (0)

Leave a comment