The vulnerability is in the Spring Core (or Spring4Shell) that can be exploited when an attacker sends a specially crafted query to a web server using the framework.
Systems could be impacted if using the following components:
- JDK 9.0 or later;
- Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier;
- Apache Tomcat as the Servlet container;
- Packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance;
- Tomcat has spring-webmvc or spring-webflux dependencies.
The following non-malicious command can be used to determine vulnerable systems:
$ curl host:port/path?class.module.classLoader.URLs%5B0%5D=0
A host that returns an HTTP 400 response should be considered vulnerable to the attack.
Pro CISO's Vulnerability Management services can scan your systems to identify affected instances that require patching.
The Microsoft Spring4Shell blog
The Spring Framework Announcement and Updates