VMWare announced their Spring Framework, in the right configuration, is vulnerable to Remote Code Execution. Spring MVC (Model-View-Controller) or Spring WebFlux applications running on JDK9+ may be vulnerable to RCE via data binding. This vulnerability currently has only been confirmed on applications running on Tomcat as a WAR deployment (this has likely changed at time of publish, as more applications are being noted as vulnerable, both VMware and Cisco have announced vulnerabilities). The default deployment as a Spring Boot executable jar is not vulnerable though. VMWare has stated that there may be other ways to exploit the vulnerability that just haven’t been identified yet. This vulnerability affects all Spring Framework versions 5.3.0-5.3.17, 5.2.0-5.2.17, and even older unsupported versions.
VMWare CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965
To mitigate the vulnerability you should upgrade to 5.3.18+(for 5.3.X users) or 5.2.20+(for 5.2.X users). If you are running applications that cannot upgrade to these versions, please check the mitigation steps that were provided in the Suggested Workarounds section on the RCE-Early-Announcement blog post from spring.
Spring RCE Early Announcement: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
