Spring Remote Code Execution VulnerabilityMarch 31, 2022
I'd like to start by saying that I'm not a security expert. I also won't link to the exploit. This is a very fresh take on a new vulnerability but there's already confirmation from Sonatype. The current exploit seems to be limited to Spring on top of Tomcat but it probably can be adapted since the underlying vulnerability seems general enough.
The vulnerability only impacts Java 9 or newer so if you have an older version you should be safe from this specific exploit.
The problem is that the Java 9 module system increased the surface area. So the original fix for the RCE is no longer sufficient.