Payara Platform & “Spring4Shell”

Uncategorized

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

Please note: Users must also apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations, to be fully protected.

Read more about the vulnerability here:

Find more resources here for increasing the security of your applications:

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

Related Posts

Blue background with coral and fish. Left text: 'MONTHLY CATCH'. Right: laptop screen with tech tabs and Payara Community logo. 3 minutes
Community

The Payara Monthly Catch -September 2025

Welcome aboard the September issue of The Monthly Catch! With summer holidays wrapping up, the Java world is back […]

Payara Qube-Cloud Light banner 4 minutes
Security

Zero Trust Security in Enterprise Java: What it is and How to Implement it

Cybersecurity isn’t just about building walls, fortresses, moats or any other external barrier anymore. Nowadays, it’s important to check […]

Community_Announcement 4 minutes
Uncategorized

Leading the Way: Payara Platform Community 7 Beta Now Fully Jakarta EE 11 Certified

We’re excited to announce that Payara Platform Community 7 Beta application server is now fully certified as Jakarta EE 11 […]