There are two critical RCE vulnerabilities in Java’s Spring Framework.
- A new critical Remote Code Execution (RCE) vulnerability (CVE-2022-22963) was discovered in Java’s Spring Cloud Functions. There are patches available for this vulnerability which should be applied to affected systems as soon as possible.
- A 0-day vulnerability in Spring Core that could lead to unauthenticated RCE, has also been discovered. It has been titled by some researchers as “Spring4Shell” or “SpringShell”.
There are reports of proof-of-concept code and active exploitation for both vulnerabilities.