Try Free

Payara Platform & “Spring4Shell”

Jakarta EE
Fabio Turizo
Published: 06 Apr 2022
Updated: 21 Oct 2025

The Remote Code Execution (RCE) vulnerability detected in the Spring Java Framework in March 2022 (tagged as CVE-2022-22965) is unlikely to impact those using Payara Platform.

However, users that deploy Spring Framework WAR packaged applications in Payara Server are affected by this vulnerability as Payara Server shares pieces of code in its Servlet implementation, Catalina, which was originally branched from Apache Tomcat.

To mitigate the risk of being impacted by this vulnerability, we have implemented an urgent fix that effectively disables the affected code in the corresponding Catalina modules. This hotfix will be included in the upcoming releases of both Payara Community (5.2022.2) and Payara Enterprise (5.38)

Please note: Users must also apply the fixes issued in Spring Framework 5.3.18 and 5.2.20, available in Spring Boot 2.6.6. as per their recommendations, to be fully protected.

Read more about the vulnerability here:

Spring4Shell vulnerability: Should you patch?

Find more resources here for increasing the security of your applications:

Share:

Download Payara Platform Community

Comments (0)

Post a comment

Your email address will not be published. Required fields are marked *

Payara needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at any time. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, please review our Legal & Privacy Policy.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts

SpringBoot Actuator Health for Microprofile Developers 7 minutes
Cloud & Microservices
Luqman Saeed
11 Mar 2026

Spring Boot Actuator Health for MicroProfile Developers

If you worked with MicroProfile Health, you already understand the value of exposing application health information through standardized endpoints. […]

Read More
Webinar banner for “High-Frequency Trading on Jakarta EE: GC Stress Testing with Azul C4 and Payara Micro,” March 25, 2026, 2 PM GMT. Features Azul and Payara Micro logos and speaker photos of Luqman Saeed, Jakarta EE Specialist, and Simon Ritter, Deputy CTO and Java Champion. 1 minute
Cloud & Microservices
Dominika Tasarz
10 Mar 2026

High-Frequency Trading on Jakarta EE: Join Our Upcoming Live Webinar

Modern high-frequency trading (HFT) platforms operate under extreme performance constraints, processing tens of thousands of messages per second while […]

Read More
Illustration promoting the Payara Platform Community Survey, featuring bold text on a blue background alongside a clipboard with a checklist, star ratings, and check marks, with coral and fish graphics in an underwater theme. 1 minute
Community
Dominika Tasarz
06 Mar 2026

Help Shape the Future of Payara Platform Community – Take Our 2026 Survey

Earlier this week, we’ve launched the 2026 Payara Platform Community Survey and we’d love to hear from you. If […]

Read More