0-day Vulnerabilities in Spring (Spring4Shell and CVE-2022-22963/CVE-2022-22965)


On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. The Spring Framework is a very popular framework used by Java developers to build modern applications and is owned by VMware.

Spring is providing regular updated via its support blog: Spring Framework RCE, Early Announcement

We have not received any reports of these issues from SolarWinds customers but are actively investigating. SolarWinds strongly recommends all customers disconnect their public-facing (internet-facing) installations of these SolarWinds products from the internet.

  • Database Performance Analyzer

Additionally, we recommend users of these products ensure they are referencing our best practices and recommendations as follows:

SolarWinds is actively investigating these vulnerabilities and will provide regular updates as new information becomes available and is validated. Out of an abundance of caution, we are working on updates to these products to include the latest version of the Spring Framework the Spring team has made available today, and we will alert customers to its availability once completed.

For the most recent information, please see SolarWinds Trust Center Security Advisories | Spring4Shell in the SolarWinds Trust Center.

Fixed Version

  • Database Performance Analyzer (DPA) 2022.1.7779 [Release Notes]


Date Revision
31-MAR-2022 Initial publication
07-APR-2022 Added fixed version information
Thwack - Symbolize TM, R, and C