Uploaded image for project: 'FOLIO'
  1. FOLIO
  2. FOLIO-3466

Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)



    • Spring Force
    • Yes
    • TBD


      Official announcement from spring.io: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

      There are three recent issues in Spring Framework:

      This Jira is about the last one only. (The others may also be fixed by updating to a fixed version.)


      42 FOLIO platform-complete modules use a vulnerable spring version.

      https://github.com/folio-org/platform-complete/actions/workflows/spring-cve-2022-22965.yml automatically maintains a list of all FOLIO back-end modules showing their Spring4Shell status for Kiwi (R3 2021), Lotus (R1 2022), Morning Glory (R2 2022) and Nolana (R3 2022). The list is in "Run cat result.txt".

      Patches are available:

      • Spring Framework 5.3.18 and 5.2.20
      • Spring Boot 2.6.6 and 2.5.12
      • Grails Core 5.1.6

      It is NOT recommended to only apply workarounds (like not using Tomcat/Payara/Glassfish).
      Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

      The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater.

      Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :

      we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

      After applying the patch run

      mvn dependency:tree -Dincludes=org.springframework:spring-beans


      grails dependency-report runtime | grep spring-beans

      and check that spring-beans version is >= 5.3.18 or >= 5.2.20.

      Apply the patch on the default branch (main/master), the R2 2022 Morning Glory branch (if exists), and on the Lotus (R1 2022) branch, and release a patch version for Lotus.

      We don't need any Kiwi back-port because there are no plans for a Kiwi hot fix #3.


      Explanation from snyk:

      The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
      Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application.

      The vulnerability is in the spring-beans library of Spring Core in CachedIntrospectionResults.java. See the fix:

      For details see


      Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :


      • Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish.
      • However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
      • As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

      Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

      However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

      Requirements to exploit the vulnerability:

      • JDK9 and above (FOLIO uses JDK11)
      • Using the Spring-beans package
      • Spring parameter binding is used
      • Spring parameter binding uses non-basic parameter types, such as general POJOs

      There can be multiple ways to exploit the vulnerability.

      The easiest way to exploit the vulnerability is attacking an installation that runs on an external Tomcat (Apache Tomcat as the Servlet container). This is how the first known and published exploit works. There are reports about ongoing attacks.

      FOLIO modules don't use an external Tomcat. Some use spring-boot-starter-tomcat, the embedded Tomcat, that cannot been attacked by the published exploit.

      FOLIO modules don't use Payara or Glassfish for which public exploits have been published.

      Other exploits are possible but not publicly known and not published.


      As Spring Framework is one of the most popular frameworks for Java and for the Java virtual machine (JVM) it is likely that other exploits get developed that affect FOLIO modules - the risk becomes greater over time.

      Therefore the patches should be applied to mitigate this risk.

      Priority for edge modules is P2 because they are not behind Okapi but directly exposed to the internet. Priority for other modules is P3 for Lotus and P2 for Morning Glory and Nolana. Priority to be re-assessed if new findings are made.

      TestRail: Results


          Issue Links



                Unassigned Unassigned
                jakub Jakub Skoczen
                0 Vote for this issue
                5 Start watching this issue



                  TestRail: Runs

                    TestRail: Cases