Spring4Shell Security Vulnerability


In April 2022, a vulnerability in the Spring Framework was identified that affects Spring MVC and Spring WebFlux applications running on JDK 9+. Tom Sawyer Software has been diligently examining our own dependencies. Read on to see how this may affect you—and check back frequently for updates as this issue evolves.

Not affected by Spring Framework vulnerability:

  • Tom Sawyer Analysis
  • Tom Sawyer Layout
  • Tom Sawyer Visualization
  • Tom Sawyer Licensing

Affected by Spring Framework vulnerability:

  • Tom Sawyer Perspectives 
    • Graph and Data Visualization SDK Designer and Web Preview
    • Business Process
    • Graph Database Browser
    • Model-Based Engineering
  • Any custom Perspectives app which utilizes Spring MVC or Spring WebFlux 

How do I know if my application is vulnerable?

An application is known to be vulnerable if it:

  • Has a dependency on spring-webmvc or spring-webflux
  • Runs with JDK 9+
  • Has Apache Tomcat as the Servlet container
  • Is packaged as a WAR and deployed in a standalone Tomcat instance
There may be other unknown ways to exploit the vulnerability. Refer to the Spring announcement for details.

Options for remediation

  • Upgrade to Tom Sawyer Perspectives 10.1.0 which has updated to Spring Framework 5.3.18 and Spring Boot 2.6.6.
  • Update to Spring Framework 5.3.18 and Spring Boot 2.6.6.
  • Update to Tomcat 9.0.62.
  • Downgrade to Java 8.

Contact Us

Have questions about this vulnerability and your system? We are here for you. Log in to support.tomsawyer.com and submit a case with any questions, issues, or concerns. We'll get right back to you.