Showing results for 
Show  only  | Search instead for 
Did you mean: 

ADTSA-2022003: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)

ADTSA-2022003: Spring Framework RCE via Data Binding on JDK 9+ (Spring4Shell)


A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.


Affected Products

Under investigation.  Affected products will be promptly added as each investigation is completed.

Product Family Affected Versions Severity Notes
ACI-E All Critical N/A

Unaffected Products

Product Family Products
ADTRAN OS IP Business Gateways, Routers, & Switches
  • NetVanta 1200 Series
  • NetVanta 1530 Series
  • NetVanta 1540 Series
  • NetVanta 1550 Series
  • NetVanta 1600 Series
  • NetVanta 3000 Series
  • NetVanta 4000 Series
  • NetVanta 5000 Series
  • NetVanta 6000 Series
  • Total Access 900/900e Series
Carrier Ethernet NIDs
  • NetVanta 800 Series
  • NetVanta 8000 Series
  • 9500 Series
  • FSU 7000 Series
  • SDX 6210-4
  • 1004
  • 6304W
  • 8001A
  • 8001B
  • FSU Series
Ethernet Service Delivery Gateways & Mesh APs (PlumeOS) All products
Ethernet Service Delivery Gateways & Mesh APs (SmartOS) All products
GPON, XGS-PON, & Active Ethernet ONUs
  • 300 Series (all generations)
  • 400 Series
  • SDX 600 Series
GPON & XGS-PON Service Delivery Gateways
  • SDG 814-v6
  • SDG 825-v6
  • SDX 822v
hiX All products
Mosaic Cloud Platform All products
Mosaic Cloud Platform Plugins All products
Mosaic Device Manager All products
n-Command MSP All products
OPTI Series All products
SDX 6000 Series OLTs
  • SDX 6010-16
  • SDX 6020-48
  • SDX 6310-16
  • SDX 6320-16
SDX 8000 Series Aggregation Switches All products
SmartRG Ethernet Residential Gateways & Mesh APs
  • SE80ac
  • SR400ac
  • SR905ac
  • SR905acv
SmartRG VDSL2 Residential Gateways
  • SR506n
  • SR516ac
  • SR555ac
Total Access 1100 & 1200 Series All products
Total Access 5000 All products

Mitigating Factors & Recommended Mitigations

Product Family Mitigating Factors Recommended Mitigations


Product Family Resolution
ACI-E An update is under development to mitigate the vulnerability.

Revision History

Revision Date Changes
C 2022-04-07 Update the affected versions and resolution for ACI-E.
B 2022-04-06 Added ACI-E, hiX, Mosaic Cloud Platform, Mosaic Device Manager, and n-Command MSP. Updated Ethernet Service Delivery Gateways & Mesh APs (PlumeOS), Ethernet Service Delivery Gateways & Mesh APs (SmartOS), and Mosaic Cloud Platform Plugins.
A 2022-04-01 Initial release.
Version history
Revision #:
5 of 5
Last update:
‎04-07-2022 07:59 AM
Updated by: