Spring4Shell CVE-2022-22965

Can GSM detect this vulnerability or is it soon able to do so? CVE-2022-22965

Yes, there is an authenticated check (“VMware Spring Framework (Core) RCE Vulnerability (Spring4Shell, SpringShell) - Version Check”, OID: in the feed.
Further checks might be added in the coming days.

1 Like

I was able to find it by searching for Spring4Shell, SpringShell

For some reason I could not find it when using the [CVE-2022-22965]


So what is the best way to scan for it,

Should it be a cve scan or Openvas Default, Full and Fast


You probably didn’t had the version of the VT in question yet which included a reference to the CVE (the VT was created before the CVE got actually published and the CVE got added later).

Currently an authenticated scan on Windows/Linux via SMB/SSH login is required. In addition the version check is not reliable because there are various prerequisite for being affected (from here):

  • Running on JDK 9 or higher
  • Apache Tomcat as the Servlet container.
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
  • spring-webmvc or spring-webflux dependency.

A “low” QoD also means that the vulnerability isn’t shown by default in your report and the related filter in the results overview needs to be updated to show results with a QoD < 70 %.

There might be an additional “active” VT checking a system for this flaw remotely / without authentication and in a more reliable way. For now none exists as the published PoCs have either not worked at all against the known affected applications or required to deploy a file on the target / rewriting some logging configuration of the target (which might even break an application completely which is something we can’t risk).

Overall writing an active check needs some more time and research but is currently not a top priority because of the limited currently known affected systems / environments.