Critical Spring Framework RCE Vulnerability: What You Need to Know and How to Fix It
A high‑severity remote code execution flaw affecting multiple Spring Framework versions and Java 9+ environments was disclosed in March 2022, prompting urgent patches, detailed mitigation steps, and code examples for developers to protect their applications.
Following the Log4j2 incident, the Java ecosystem faced another serious threat: a remote code execution (RCE) vulnerability in the Spring family of frameworks, which are core to many Java applications.
On March 30, the China National Vulnerability Database (CNVD) received a report from Ant Group about this Spring Framework RCE flaw (CNVD‑2022‑23942), rating it as high‑risk and allowing unauthenticated command execution.
Spring.io issued an early announcement on March 31 confirming the vulnerability and providing initial guidance.
The affected range includes JDK 9 and newer, Spring Framework versions 5.3.0‑5.3.17, 5.2.0‑5.2.19, and earlier releases.
Community reaction was intense, with many developers scrambling to determine whether their projects were vulnerable, and numerous security researchers sharing the issue on GitHub and social media.
Spring officially verified the flaw and listed conditions that likely indicate exposure:
Running on JDK 9 or higher
Using Apache Tomcat as the servlet container
Packaging as a traditional WAR (as opposed to an executable Spring Boot JAR)
Including spring-webmvc or spring-webflux dependencies
Using Spring Framework 5.3.0‑5.3.17, 5.2.0‑5.2.19, or earlier versions
Initial Mitigation
Spring.io released patched versions Spring Framework 5.3.18 and 5.2.20, along with Spring Boot 2.6.6 and 2.5.12 that depend on the fixed framework. Upgrading to these versions eliminates the need for further workarounds.
If upgrading is not possible, Spring recommends adding a @ControllerAdvice that configures a WebDataBinder with disallowed fields:
@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}For more robust protection, Spring suggests extending RequestMappingHandlerAdapter (or the WebFlux equivalent) and overriding the data‑binder creation logic. Example for Spring MVC:
package car.app;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.web.servlet.WebMvcRegistrations;
import org.springframework.context.annotation.Bean;
import org.springframework.web.bind.ServletRequestDataBinder;
import org.springframework.web.context.request.NativeWebRequest;
import org.springframework.web.method.annotation.InitBinderDataBinderFactory;
import org.springframework.web.method.support.InvocableHandlerMethod;
import org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter;
import org.springframework.web.servlet.mvc.method.annotation.ServletRequestDataBinderFactory;
@SpringBootApplication
public class MyApp {
public static void main(String[] args) {
SpringApplication.run(MyApp.class, args);
}
@Bean
public WebMvcRegistrations mvcRegistrations() {
return new WebMvcRegistrations() {
@Override
public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
return new ExtendedRequestMappingHandlerAdapter();
}
};
}
private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {
@Override
protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {
return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {
@Override
protected ServletRequestDataBinder createBinderInstance(Object target, String name, NativeWebRequest request) throws Exception {
ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
String[] fields = binder.getDisallowedFields();
List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : java.util.Collections.emptyList());
fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
binder.setDisallowedFields(fieldList.toArray(new String[]{}));
return binder;
}
};
}
}
}For non‑Spring‑Boot applications, developers can replace @EnableWebMvc with a custom DelegatingWebMvcConfiguration and override the createRequestMappingHandlerAdapter method as described in the Spring documentation.
In summary, organizations using affected Spring versions should immediately audit their deployments and upgrade to the latest patched releases or apply the provided controller‑advice and binder‑extension workarounds to mitigate the RCE risk.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Java High-Performance Architecture
Sharing Java development articles and resources, including SSM architecture and the Spring ecosystem (Spring Boot, Spring Cloud, MyBatis, Dubbo, Docker), Zookeeper, Redis, architecture design, microservices, message queues, Git, etc.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.