The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Am I Impacted?
These are the requirements for the specific scenario from the report:
JDK 9 or higher
Apache Tomcat as the Servlet container
Packaged as a traditional WAR (in contrast to a Spring Boot executable jar)
spring-webmvc or spring-webflux dependency
Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions
However, the nature of the vulnerability is more general, and there may be other ways to exploit it that have not been reported yet.
需要打包成 war + jdk9+版本才会触发漏洞
新项目一般都是 jar 打包，老项目一般不用 jdk9+，是不是这个道理？