WAF mitigation for Spring Framework RCE CVE-2022-22965

ZeroDay RCE CVE-2022-22965


Try CDNetworks For Free

Most of our products have a 14 day free trial. No credit card needed.

Share This Post

Spring Framework RCE vulnerability (CVE-2022-22965) was announced on March 31,2022


Spring Framework is an open source lightweight J2EE application development Framework, which provides IOC, AOP, MVC and other functions. Spring Framework can solve the common problems encountered in the development of programmers, and improve the convenience of application development and software system construction efficiency.

The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit.

These are the requirements for the specific scenario from the report:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions

However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.

Vulnerability Details:

  • Vulnerability level: High Risk
  • Affected version:
    Spring Framework 5.3.x < 5.3.18
    Spring Framework 5.2.x < 5.2.20
  • Security version:
    Spring Framework = 5.3.18
    Spring Framework = 5.2.20

Suggested Workarounds

 Upgrade the Spring Framework to 5.3.18, 5.2.20 or later versions

CDNetworks Deployed New Rules to Mitigate Spring Framework RCE

CDNetworks security team responded immediately to this high-risk vulnerability, and deployed the new WAF rules (9801,9802,9803) for CDNetworks’ systems and products to mitigate the Zero Day CVE on March 31.2022.

Any customer who currently is using Application Shield or Web Application Firewall will receive updates of new rules (9801,9802,9803) and enable Block Mode on CDNetworks’ portal to detect CVE-2022-22965 exploit attempts and mitigate this Zero Day CVE.

Rule ID Rule Name Attack Type Action



3rd Party Component Exploit




3rd Party Component Exploit




3rd Party Component Exploit



Reference: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

More To Explore