Azul Partner logo

Azul Acquires Payara

Strengthening the Java platform for modern enterprise applications.

Read More
Try Free

Payara Platform & “Spring4Shell”

Jakarta EE
Fabio Turizo
Published: 06 Apr 2022
Updated: 21 Oct 2025

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

Please note: Users must also apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations, to be fully protected.

Read more about the vulnerability here:

Spring4Shell vulnerability: Should you patch?

Find more resources here for increasing the security of your applications:

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

Blue background with coral and fish. Left text: 'MONTHLY CATCH'. Right: laptop screen with tech tabs and Payara Community logo. 5 minutes
Community
Dominika Tasarz
03 Mar 2026

The Payara Monthly Catch – February 2026

February brought strong momentum across the enterprise Java ecosystem – from Agentic AI discussions and Jakarta EE evolution, to […]

Read More
Screenshot from the Jakarta Agentic AI webinar showing a presentation slide titled “Jakarta Agentic AI” with bullet points about vendor-neutral APIs, early project status, and a Java SE 17 and Jakarta EE 10 baseline. Video thumbnails of multiple panel speakers appear on the left, and a GitHub repository link is displayed on the slide. 2 minutes
Community
Dominika Tasarz
26 Feb 2026

Shaping Jakarta Agentic AI Together – Watch the Open Conversation

Earlier this week, we hosted Jakarta Agentic AI, An Open Conversation, an open house Jakarta TechTalk session, exploring a […]

Read More
Illustration showing the Payara logo and the words “New Release” in large orange and white text, next to a stylized laptop screen displaying the Payara Server admin console with dark blue and orange interface elements. 5 minutes
Community
Luqman Saeed
19 Feb 2026

What’s New in the Payara Platform February 2026 Release?

The February 2026 release of the Payara Platform is centered on a major initiative to streamline the platform. This involves removing […]

Read More