What’s the Real Impact of Spring Framework RCE CVE‑2022‑22965 and How to Fix It?
This article explains the officially announced Spring Framework remote code execution vulnerability CVE‑2022‑22965, outlines the affected environments, provides upgrade paths for Spring and Spring Boot, and shares safe code‑based mitigation techniques for developers.
Spring’s recent vulnerability has been widely discussed, but many articles mixed unrelated CVEs with hype. On March 31, the Spring team officially announced a remote code execution (RCE) issue in the core framework, confirming the existence of CVE‑2022‑22965.
The vulnerability requires JDK 9+, deployment on Apache Tomcat, WAR packaging, and a dependency on spring-webmvc or spring-webflux. Although many users still run JDK 8 or embedded Tomcat, the risk is significant, so upgrading is strongly recommended.
Impact Scope
JDK 9 or higher
Apache Tomcat deployment
WAR packaging
Dependency on spring‑webmvc or spring‑webflux
Spring released emergency patches, and the following upgrade paths address the issue:
Solution
Spring 5.3.x → upgrade to 5.3.18+
Spring 5.2.x → upgrade to 5.2.20+
Spring Boot 2.6.x → upgrade to 2.6.6+
Spring Boot 2.5.x → upgrade to 2.5.12+
For additional mitigation, developers can use a global @ControllerAdvice with an @InitBinder to disallow class‑related fields:
@ControllerAdvice
@Order(Ordered.LOWEST_PRECEDENCE)
public class BinderControllerAdvice {
@InitBinder
public void setAllowedFields(WebDataBinder dataBinder) {
String[] denylist = new String[]{"class.*", "Class.*", "*.class.*", "*.Class.*"};
dataBinder.setDisallowedFields(denylist);
}
}However, this approach may interfere with other @InitBinder configurations. A safer method is to extend RequestMappingHandlerAdapter and update the WebDataBinder after all other initializations:
@SpringBootApplication
public class MyApp {
public static void main(String[] args) {
SpringApplication.run(MyApp.class, args);
}
@Bean
public WebMvcRegistrations mvcRegistrations() {
return new WebMvcRegistrations() {
@Override
public RequestMappingHandlerAdapter getRequestMappingHandlerAdapter() {
return new ExtendedRequestMappingHandlerAdapter();
}
};
}
private static class ExtendedRequestMappingHandlerAdapter extends RequestMappingHandlerAdapter {
@Override
protected InitBinderDataBinderFactory createDataBinderFactory(List<InvocableHandlerMethod> methods) {
return new ServletRequestDataBinderFactory(methods, getWebBindingInitializer()) {
@Override
protected ServletRequestDataBinder createBinderInstance(Object target, String name, NativeWebRequest request) throws Exception {
ServletRequestDataBinder binder = super.createBinderInstance(target, name, request);
String[] fields = binder.getDisallowedFields();
List<String> fieldList = new ArrayList<>(fields != null ? Arrays.asList(fields) : Collections.emptyList());
fieldList.addAll(Arrays.asList("class.*", "Class.*", "*.class.*", "*.Class.*"));
binder.setDisallowedFields(fieldList.toArray(new String[]{}));
return binder;
}
};
}
}
}For non‑Spring Boot MVC applications, switch from @EnableWebMvc to DelegatingWebMvcConfiguration and override createRequestMappingHandlerAdapter as described in the Spring documentation.
References:
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
https://tanzu.vmware.com/security/cve-2022-22965
https://docs.spring.io/spring-framework/docs/current/reference/html/web.html#mvc-config-advanced-java
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Programmer DD
A tinkering programmer and author of "Spring Cloud Microservices in Action"
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.