Advisory: Spring Cloud Function (SPEL) and Spring Framework AKA SpringShell vulnerabilities (CVE-2022-22963, CVE-2022-22965)

← Back to Security Advisories Overview
Cloud Optix
Sophos Central
Sophos Email
Sophos Firewall
Sophos Home
Sophos Mobile
Sophos Mobile EAS Proxy
Sophos Switch
Sophos UTM
Sophos UTM Manager
Publication ID: sophos-sa-20220401-spring-rce
Article Version: 1
First Published:
Workaround: No


Between Wednesday March 30, 2022, and the following day, two severe but unrelated vulnerabilities were revealed in the Java Spring Framework and its Spring Cloud Function component, respectively.

Spring Framework is a widely used framework for building Java cloud and web applications. The vulnerabilities affect a broad range of services and applications on servers, making them extremely dangerous – and the latest updates for those server applications urgent. Sophos has observed widespread malicious attempts to exploit internet facing services using these vulnerabilities.

The Spring Cloud Function vulnerability (CVE-2022-22963, sometimes referred to as the “SPEL vulnerability”) makes it possible for remote attackers to use specially crafted HTTP request headers to execute code on servers. The Spring Framework vulnerability (CVE-2022-22965, also known as “SpringShell”) similarly allows remote attackers to execute code via data bindings.

Patches for Spring

  • CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression. Upgrade Spring Cloud Function to version 3.1.7 or 3.2.3.

  • CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+. Upgrade Spring Framework to version 5.2.20 or 5.3.18.

Additionally, Spring Boot 2.5.12 and 2.6.6 have been released to include the fixed Spring Framework.

What Sophos products are affected?

Sophos is reviewing and patching all potentially affected applications and services as part of its incident response process.

No Sophos products or services are impacted.

Sophos will publish updated information as it becomes available.

How are Sophos customers protected?

Sophos Managed Threat Response (MTR) customers

Sophos is actively monitoring MTR customer accounts for post-exploit activity.

IPS Signatures

IPS signatures were first published on March 30, 2022.

Sophos Firewall

  • SIDs for CVE-2022-22963 are 59388, 59416, 2306989

  • SIDs for CVE-2022-22965 are 30790, 30791, 30792, 30793

Sophos Endpoint

  • SIDs for CVE-2022-22963 are 2306989, 2306999

  • SIDs for CVE-2022-22965 are 2306990

Sophos SG UTM

  • SIDs for CVE-2022-22963 are 59388, 59416

  • SIDs for CVE-2022-22965 are 30790, 30791, 30792, 30793