SAP Knowledge Base Article - Preview

3171058 - CVE-2022-22965 - AS Java Core Components' impact for Spring Core Remote Code Execution vulnerability


You are curious whether your SAP NetWeaver Application Server Java system is affected by spring core remote code execution vulnerability exploited In the wild (SpringShell). See documentation: CVE-2022-22965.

  • Vulnerability CVE-2022-22965
  • How does this impact SAP Netweaver Application Server Java Core Components
  • The AS Java Core Software Components are documented in KBA 1794179 Importing AS Java Core patches for NetWeaver 7.1 or higher



Affected Software and Versions / Existing proofs of concept (PoCs) for exploitation work under the following conditions:

  • JDK 9 or higher
  • Apache Tomcat as the Servlet container
  • Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
  • spring-webmvc or spring-webflux dependency
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions


SAP NetWeaver Application Server for Java all versions


KBA , BC-JAS-COR , Enterprise Runtime, Core J2EE Framework , BC-JAS-SEC , Security, User Management , BC-JVM , SAP Java Virtual Machine , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.