CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

[Zhangmao0809]

hi，I know The Spring Security OAuth project is deprecated. but I still want to know. Is The Spring Security OAuth affected by rce vulnerability?

CVE-2022-22965Spring Framework RCE via Data Binding on JDK 9+ https://tanzu.vmware.com/security/cve-2022-22965

[jgrandja]

This project is built against JDK 1.6 and Spring Framework 4.3.30.

NOTE:

• The vulnerability may be exploited in JDK 9 or higher
• The 4.3.x branch is no longer supported and the 4.3.30 release was the last release in the 4.3.x line.

The Spring Framework RCE recommends upgrading to 5.3.18 or 5.2.20, however, the 5.x line was not fully tested with this project and may not work. As advised in the "Suggested Workarounds", downgrading to Java 8 and/or upgrading Tomcat is a viable workaround.