Spring4Shell Vulnerability

Would SpringBoot apps deployed on Payara servers be vulnerable to the Spring4Shell vulnerability?

According to Spring Framework RCE, Early Announcement

According to the doc, it’s strictly Tomcat. Can anyone validate?

Hi,

We’ve already investigated this because Payara Server shares some source code with an older Tomcat version. We’ve concluded that it’s not likely that Payara Server is affected but we’re not able to confirm it. Therefore we’ve applied a similar fix that Tomcat applied that we believe prevents the vulnerability in the case it could be exploited also in Payara Server. The change is here: FISH-6208 Deprecate and change WebAppClassLoader#getResources to return null for CVE-2022-22965 by Pandrex247 · Pull Request #5686 · payara/Payara · GitHub. It’s ready to be released in the next Payara Community and Payara Enterprise versions. Payara Enterprise customers can request an immediate hotfix if needed.

Ondro

2 Likes

Hi,

After my previous reply, Payara has released an official statement about the Spring4Shell vulnerability: Payara Platform & “Spring4Shell”.

In short, users that deploy Spring Framework WAR packaged applications in Payara Server ARE AFFECTED. A hotfix in the upcoming releases Payara Platform mitigates the risks but users must also apply the fixes issued in Spring Framework to be fully protected.

All the best,
Ondro