Try Free

Payara Platform & “Spring4Shell”

Jakarta EE
Fabio Turizo
Published: 06 Apr 2022
Updated: 21 Oct 2025

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

Please note: Users must also apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations, to be fully protected.

Read more about the vulnerability here:

Spring4Shell vulnerability: Should you patch?

Find more resources here for increasing the security of your applications:

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Docker logo 4 minutes
Community
Dominika Tasarz
18 Nov 2025

Level Up Your Jakarta EE Apps with Payara 7 and New Docker Images

We’re excited to share major updates around the Docker image story for the Payara Platform Community, aligned with our […]

Read More
Timeline showing Payara Platform Enterprise 4, 5, and 6 support phases (Full, Extended, Lifetime) from 2023–2033, along with JDK 8, 11, 17, and 21 support periods and end-of-life markers. 4 minutes
Thought Leadership
Chiara Civardi
17 Nov 2025

Understanding the Payara Platform Enterprise Software Lifecycle: How We Support Long-Term Stability 

Keeping an application server running smoothly isn’t so much about new features, but more about predictability and consistency. Software […]

Read More
Patrik Dudits presenting at Devoxx Belgium 2025 5 minutes
Cloud & Microservices
Patrik Duditš
14 Nov 2025

Devoxx BE 2025: It Only Starts with a Container & How Abstraction Becomes Reality 

At Devoxx Belgium 2025, I was able to talk about what happens after you build your container. In theory, […]

Read More