VMware patches Spring4Shell RCE flaw in multiple products



The severe remote code execution vulnerability known as Spring4Shell, which affects numerous of VMware’s cloud computing and virtualization technologies, has been patched.

An advisory from the firm contains a list of VMware products that are impacted by Spring4Shell. In the absence of a patch, VMware has issued a workaround as a stopgap measure.

Because Spring4Shell is an actively exploited vulnerability, it is crucial to follow the recommendations offered in the security bulletin at this time.

A remote code execution vulnerability in the Spring Core Java framework, officially listed as CVE-2022-22965, may be exploited without authentication and has a severity level of 9.8 out of 10.

This means that any malicious actor with access to vulnerable programmes may run arbitrary instructions on a target machine and gain total control of it.

Because the Spring Framework is so widely used for Java app development, security experts are concerned about large-scale attacks using the Spring4Shell vulnerability.

To make matters worse, a working proof-of-concept (PoC) exploit was leaked on GitHub even before a security update had become available, raising the chances of malicious exploitation and “surprise” attacks.

Impact and remediation

The critical flaw impacts Spring MVC and Spring WebFlux apps running on JDK 9+. The exploit requires the app to run on Tomcat as a WAR deployment, although the exact limitations are still under investigation.

The applications’ corrected versions are as follows:

Spring Framework 5.3.18 and Spring Framework 5.2.20 are two versions of the Spring Framework.

2.5.12 Spring Boot

2.6.6 Spring Boot (soon to be released)

While the investigation is still ongoing, VMWare has analysed its product portfolio and found that the following products are affected:

Versions 2.10 through 2.13 of the VMware Tanzu Application Service for VMs

Versions 2.8 through 2.9 of VMware Tanzu Operations Manager

Versions 1.11 through 1.13 of VMware Tanzu Kubernetes Grid Integrated Edition

Security patches for the first two products have already been released, with point releases covering several version branches, while a permanent repair for VMware Tanzu Kubernetes Grid Integrated Edition is still in the process.

VMWare has given workaround instructions for certain installations in order to assist administrators in temporarily securing their systems until the fixes are released.


VMWare has determined that the Spring4Shell exploitation in TKGI is sophisticated, thus the mitigating advice and future security update are offered for maximum customer trust and to minimize false positives.


Nonetheless, to guarantee that your deployments are safe from opportunist threat actors, the offered official security advice should be followed without fail and without delay.



IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.