“Spring4Shell” vulnerability & Payara Platform

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

However we can’t guarantee that Spring applications are completely safeguarded against this vulnerability. Users should apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations.

Read more about the vulnerability here: