Try Free

Payara Platform & “Spring4Shell”

Jakarta EE
Fabio Turizo
Published: 06 Apr 2022
Updated: 21 Oct 2025

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

Please note: Users must also apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations, to be fully protected.

Read more about the vulnerability here:

Spring4Shell vulnerability: Should you patch?

Find more resources here for increasing the security of your applications:

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

Related Posts

Payara promotional graphic showing transition from Spring to Jakarta EE, including technology logos, a code icon and arrows leading from Spring to Jakarta EE. 6 minutes
Jakarta EE
Chiara Civardi
27 Oct 2025

From Spring Boot To Jakarta EE 11: How Payara Starter Eases The Transition

If you’ve been living in the Spring ecosystem, you’re used to fast project setup. Spring Initializr gives you a […]

Read More
The Imperative for Legacy Java Modernization in Banking Cover 2 minutes
Security
Luqman Saeed
24 Oct 2025

The $57 Billion Problem: Why Banking’s Java Legacy Crisis Demands Immediate Action

How outdated Java systems are draining budgets and throttling innovation across financial services? Let’s dig in in this blog […]

Read More
Interview The software that could be putting your cyber-security at risk 2 minutes
Security
Payara Content Team
22 Oct 2025

Middleware Cyber Security: The Hidden Risk Every C-Suite Should Prioritize

When tackling cyber risk at the strategic level, it pays to learn from trusted leaders. Steve Millidge, CEO and […]

Read More