3187386 - Spring4Shell: Zero-Day Vulnerability in Spring Framework on SAP Commerce

Symptom

A zero-day remote code execution (RCE) vulnerability dubbed "SpringShell" or "Spring4Shell," has come to light in the Spring framework.

Spring is a software framework for building Java applications, including web apps on top of the Java EE (Enterprise Edition) platform.

The CVE assigned for this vulnerability is CVE-2022-22965.

Environment

Affected CommerceCloud versions:
CommerceCloud version 1905 to 2105 are affected.

For CommerceCloud in Public Cloud (CCv2) vulnerability exists but doesn’t lead to Remote Code Execution.
CommerceCloud versions below 1905 are not affected by this vulnerability.

Fixed Versions
The following versions include a fix. If you are using these versions and above, no further actions are needed:
2211.0
2205.0
2105.10
2011.20
2005.25
1905.41

Product

SAP Commerce 1905 ; SAP Commerce 2005 ; SAP Commerce 2011 ; SAP Commerce 2105

Keywords

KBA , CEC-SCC-PLA-PL , Platform , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.