It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Load Balancer ADC

Spring Framework: Critical Vulnerability Spring4Shell

  • Last updated on

This article provides updates on recently discovered vulnerabilities (CVE-2022-22963 and CVE-2022-22965) in Spring Framework.

The following table provides key information about the vulnerabilities.

CVE NumberCommonly Known/Associated AsCriticality &  CVSS ScoreExploit TypeSoftware Firmware VersionsPrerequisite to Exploit VulnerabilityBarracuda ADC Affected


Relates to old CVE-2010-1622

Zero-dayRCESpring MVC and Spring WebFlux applications running on JDK 9+ Application running on TomcatNO
CVE-2022-22963 SpEL (Spring Expression Language)CriticalELV->RCE Spring Cloud Function versions : 3.1.6, 3.2.2 and older unsupported versions NO

Spring Framework is an application framework and inversion of control container for the Java platform. Recently, two vulnerabilities were discovered in Spring Framework (CVE-2022-22965) and in Spring Cloud Function (CVE-2022-22963).

Spring4Shell is a misnomer for all these vulnerabilities combined( CVE-2022-22965, CVE-2022-22950 & CVE-2022-22963) . Spring4Shell refers to CVE-2022-22965. Also, note that Spring4Shell has no relation with the log4shell vulnerability.

The following sections list the difference between these vulnerabilities, along with their affects and mitigation.



CVE-2022-22963 was reported on March 29, 2022 - It affects Spring Cloud functions only, which is not in Spring Framework. Spring has already released a newer version to take care of this. CVE-2022-22963 uses routing functionality to provide specially crafted Spring Expression Language (SpEL) as a routing expression to access local resources and perform RCE. It uses a specific HTTP request header:

Barracuda ADC is not affected by this vulnerability. 


This is an RCE, and a malicious actor can provide a specially crafted SpEL as a routing-expression that may result in access to local resources.


You can update your infrastructure as follows:



This vulnerability affects Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment and will not work if the Spring Boot executable is in jar deployment. So by default, the deployed application is not vulnerable to the this exploit.

Barracuda ADC is not affected by this vulnerability.


This is an RCE vulnerability, in Spring Core version 5.3.17 or earlier (for 5.3.x) and version 5.2.19 or earlier (for 5.2.x). It appears to be a bypass of protections set up for CVE-2010-1622.


You can update your infrastructure as follows:

Vendor advisory :

  • Spring Framework 5.3.18 and 5.2.20, which contain the fixes, have been released.
  • Spring Boot 2.6.6 and 2.5.12 that depend on Spring Framework 5.3.18 have been released.
  • Apache Tomcat has released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation Alternative.
Further Reading: