SpringShell RCE vulnerability

Shot by Tarik Haiga

By the end of March 2022, the news of a discovered ”Remote code execution” (RCE) vulnerability in Spring Framework for Java have surfaced.

Also identified as SpringShell, Spring4Shell or even CVE-2022-22965 vulnerability, this weakness affects any production built on top of the Spring framework AND using JDK9+, and can be exploited via a meticulously composed query addressed to a web server.


✅ If your system uses JDK8, you are not exposed.

⚠️ Upgrade of Spring Core version is recommended, critical if using JDK9+.

⚠️ Upgrade of Spring Boot version is recommended, critical if using JDK9+.

The past few days have witness lots of new coming litterature about this topic, from close investigations to POCs (Proof of concept) and diagnosis, which we recommend you to reach out for better understanding of the matter (you can start by reading the Official Spring post or Microsoft article here).

🥊 Impacts on Fast2

Although Fast2 is not directly exposed (nor exposed your infrastructure) by this vulnerability, both aspects of JDK and Spring libraries are involved.

JDK version

As mentioned in the installation section of our tool, both JDK8 and JDK11 are fit for a sustainable Fast2 usage.

And here, no better person than yourself to idenify the JDK which Fast2 is pointing at. Open up the <FAST2_HOME>/config/env.properties to check whether a specific JDK has been provided for the tool.

If so, skip to the next part.

Otherwise open any commande line and execute the following command:

$ java -version

This will provide you the java registered in the path of the Fast2 server, as it is fetched by Fast2 on bootup.

Spring dependencies

As of today, the latest release version of Fast2 is the 2.4.7.

The embedded libraries have flawed version:

  • Spring Core : 5.2.6

  • Spring Boot : 2.3.0

Although the worker only involves Spring Boot, the broker engine requests both.

However, the JDK criterion for the vulnerability is not met, which blocks these dependencies to be maliciously exploited.

👉 Way to go

Based on the official report advising course of actions to take, few elements are relevant given the circumstances. Some of them can be conducted on customers’ end, although Fast2 will be upgraded for safety reasons.

Downgrade to JDK8 if necessary

Retrieve on your machine the installed JDK8 bin/ path, or download it.

The next step is to have Fast2 use this JDK, which you can do by heading out to the configuration file as it is explained here.

Upgrade Spring dependencies

Spring Boot v2.6.6 has recently been published, the latest version can be downloaded from Maven central.

Alongside the previous dependency, Spring Core could be upgraded to versions 5.3.18 or later, or 5.2.19 or later.

Howerver, there is no point in updating them in the library folder of Fast2, as it would only affect the worker behavior. The broker internally integrate these dependencies though, tied within its JAR.

Upgrade Fast2

As of today, the latest release version of Fast2 is the 2.4.7.

While the next version is still under construction, the Spring dependencies upgrade has already been integrated for safer and more serene migration operations. We highly recommend to use this version once published.