Just yesterday Spring officially announced a Spring Framework RCE vulnerability CVE-2022-22965.
Upgrading to Spring Framework 5.3.18+ or 5.2.20+ remains the main official Spring recommendation, which officially claims to address the root cause and prevent some other vulnerability attacks, and these also provide fixes for other CVEs.
Although the vulnerability is not in Tomcat itself, the Apache Tomcat team has also released versions 10.0.20, 9.0.62 and 8.5.78 with it, which are the official Tomcat solutions for the reported CVE-2022-22965 vulnerability, which has been addressed in the above versions, for older The above version has resolved the CVE-2022-22965 vulnerability, and for older, unsupported versions of Spring Framework, the vulnerability can be circumvented by upgrading the Tomcat version.
However, the primary goal should be to upgrade to a currently supported version of the Spring Framework.
Another quick and easy solution is to downgrade to Java 8, but this may not be applicable to all projects.
All three of these options can be used to circumvent the Spring Framework RCE vulnerability CVE-2022-22965 and we hope this article has helped you.
Reference https://spring.io/blog/2022/04/01/spring-framework-rce-mitigation-alternative