Spring4Shell Vulnerability Update – April 8, 2022


CVE-2022-22965 & CVE-2022-22963

Origina has been working with our Global IBM Experts and partners to analyze both CVE-2022-22965 & CVE-2022-22963 (Spring4Shell) critical vulnerabilities to determine if this vulnerability impacts IBM products.

Based on our investigations of the IBM product portfolio, at time of article publication, we have identified Cognos as the main product which could potentially be impacted by these vulnerabilities.

Note: It may be possible for users to introduce the vulnerability through the implementation of custom code and/or configuration.


Guidance has been provided below on how to investigate the likelihood of being impacted by these vulnerabilities and mitigate within Cognos. 

It is highly recommended that all the mitigation actions presented below are first tested within a non-prod / test environment to ensure there is no unintentional impact to intended Cognos operations before deployment into your production environment.

If you feel you are exposed to these vulnerabilities and / or require support in the planning or conduct of the mitigation actions, please reach out to the Origina support team at the contact details below:

If you are an Origina customer, please log a ticket at support@origina.com or through the Self-Service Portal.

If you are not an Origina customer, please call a member of our sales team:

Dublin:  + 353 (1) 524 0012
Dallas:  +1-888-206-4862
London:  +44 2033 183790

Potentially impacted Cognos version(s):
Cognos BI version 8xx and Cognos Analytics version 10.0/10.1 included Apache Tomcat as an embedded Java servlet and Cognos 10 uses Java 9 as an ‘out of the box’ configuration.


NIST (National Institute of Standards and Technology) Description: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e., the default, it is not vulnerable to the exploit. However, the nature of this vulnerability is more general, and there may be other ways to exploit it.

How to determine if you are vulnerable to CVE-2022-22965?

To determine if there is a likelihood you are exposed to these vulnerabilities, first verify utilized versions and configurations of Cognos deployed within your environments.

According to Spring, to exploit the vulnerability, there are several required prerequisites within the target environment:

  • Java Development Kit (JDK) 9 or greater and
  • Apache Tomcat as the Servlet container and
  • Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted and
  • Spring-webmvc or spring-webflux dependency and
  • Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Additional notes:

  • The vulnerability involves ClassLoader access, and therefore in addition to the specific attack reported with a Tomcat specific ClassLoader, other attacks may be possible against a different custom ClassLoader.
  • The issue relates to data binding used to populate an object from request parameters (either query parameters or form data). Data binding is used for controller method parameters that are annotated with @ModelAttribute or optionally without it, and without any other Spring Web annotation.
  • The issues do not relate to @RequestBody controller method parameters (e.g., JSON deserialization). However, such methods may still be vulnerable if they have another method parameter populated via data binding from query parameters.

To verify if Cognos is using Java (JDK) 9 or greater, undertake one or more of the following methods:

Method 1 – Using Command: 

If you are aware of the Java home directory that is being used, use the command “java -version” to find the exact version for Java.  

Method 2 – From Cognos Configuration: 

    1. Open Cognos Configuration
    2. Press Ctrl+F3
    3. The information will be displayed under the System Properties tab.

Method 3 – From Logs: 

    1. Open the file cbs_cnfgtest_run.log file under logs directory.
    2. This will be presented under the entries: java_vendor, java_version

Prevention and Mitigation Options as proposed by Spring and Apache

  • Spring recommends updating to Spring 5.3.18 and 5.2.20 or greater and
  • Apache Tomcat recommends updating to the latest released versions 10.0.20, 9.0.62, and 8.5.78 which close the attack vector on Tomcat’s side, see Spring Framework RCE, Mitigation Alternative and
  • Consider updating your Web Application Firewall (WAF) Policy and
  • Consider performing enhanced monitoring of your network and
  • Consider updating your SIEM solution to ensure it is equipped with the latest Indicators of Compromise (IoC’s).


NIST Description: In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality, it is possible for a user to provide a specially crafted Spring Expression Language (SpEL) as a routing-expression that may result in remote code execution and access to local resources.

Spring Cloud Versions Impacted:

  • 3.1.6
  • 3.2.2
  • Older, unsupported versions are also affected.

Prevention and Mitigation Options as proposed by Spring and Apache

  • The preferred response as recommended by Spring is to update to newest version of Spring Cloud Function
    • 3.1.7
    • 3.2.3
  • Consider performing enhanced monitoring of your network for any signs of abnormal activity and
  • Consider updating your Web Application Firewall (WAF) and 
  • Consider updating your SIEM solution to ensure it is equipped with the latest Indicators of Compromise (IoC’s).

Origina continues to investigate this vulnerability and its potential impact, if any, to IBM products. If you are a current Origina customer and have any particular concerns and/or questions on if this vulnerability impacts your IBM implementation, then please reach out to Origina at support@origina.com or through the Self-Service Portal.

If you are not a current customer and require support, please call a member of our sales team:

DUBLIN: + 353 (1) 524 0012
DALLAS: +1-888-206-4862
LONDON: +44 2033 183790


Gain insight into industry-only news, access to webinars, tips and tricks, blog posts, podcasts, and guides, surrounding topics like cybersecurity, reducing software support and maintenance costs and much more, all delivered to your inbox each month.