Spring4Shell

Mar 30, 2022

A critical security vulnerability has appeared in the Spring Cloud function which could allow for RCE (remote code execution). As with Log4Shell, the newly dubbed Spring4Shell is another collection of Java Vulnerabilities.

The vulnerability is found in the spring cloud framework which is used by multiple cloud vendors such as Netflix and Kubernetes.

Spring4Shell has been given a 9 out of 10 vulnerability severity score per the CVSS scale.


The vulnerability exploits versions of Spring Cloud 3.1.6 and 3.2.2. The versions that can be exploited require the following:

JDK9 and above

Using the Spring-beans package

Spring parameter binding is used

Spring parameter binding uses non-basic parameter types, such as general POJOs

Users have been advised to update to 3.1.7 and 3.2.3.


The exploit targets Spring Cloud by allowing for the creation of a custom parameter for the Spring Beans Package that calls the getter or setter of the parameter. This parameter will use a POJO or Plain Old Java Object which means that certain classes can be called which introduces the RCE or Remote Code Exploitation.


The first 0 day exploit this uses a modified Tomcat log configuration to write the shell in the log. Remediation includes a YARA rule to detect the POC code, however it does not detect variants.



The YARA rule can be found at"

https://github.com/Neo23x0/signature-base/blob/master/yara/expl_spring4shell.yar