Statement on CVE 2022-22965 Spring Framework RCE via Data Binding on JDK 9+

April 29, 2022

Information

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Risk

Not Applicable

Response

Melissa Data Corporation (“Melissa”) was not impacted by the Spring4Shell remote code execution (RCE) vulnerability via data binding as we do not utilize Spring MVC or WebFlux applications for any Melissa commercial web services or products.

Melissa will continue to follow all guidance provided for this vulnerability as necessary to prevent any future risks.