OSSEVA FOR SPRING FRAMEWORK
Spring Framework 5.x is EOL. Your applications are not.
OSSeva ships CVE patches for Spring Framework 5.3.x and earlier past the community EOL date — with migration design to 6.x and compliance documentation for your auditors.
Why now
Spring Framework 5.3.x: EOL December 2024
Broadcom/VMware set Spring Framework 5.3.x EOL for December 31, 2024. Critical CVEs discovered after that date have no official patch from the upstream project. OSSeva fills that gap.
Migration to Spring 6 requires Java 17+
Spring Framework 6.x requires Java 17 as the baseline. Many enterprise applications are still on Java 11 or 8. The migration is real work — OSSeva gives your team time to do it safely.
Spring Commercial is a commercial product now
Spring Commercial (from Broadcom/VMware) requires a commercial subscription for extended Spring support. OSSeva provides the same CVE-patched continuity under an OSS-compatible contract.
Versions covered
All versions below receive active CVE patches from OSSeva. Version numbers in monospace are exact release identifiers.
| Version | Status | Active CVEs |
|---|---|---|
| 5.2.x | Extended | Clean |
| 5.3.x | Extended | Clean |
| 6.0.x | Current | Clean |
| 6.1.x | Current | Clean |
What you get
Three tiers — pick the level of engagement that matches your team's operational needs and compliance requirements.
OSSeva Patch
CVE remediation for Spring 5.x past community EOL.
- Quarterly CVE patches for covered versions
- Maven Central compatible artifacts
- Vulnerability disclosure notifications
- Migration planning
- Architecture review
OSSeva Assure
Patches plus 5.x → 6.x migration design and compliance docs.
- Everything in Patch
- Spring 5→6 migration roadmap
- Dependency compatibility audit
- Compliance attestation package
- Spring Security coverage included
- 24/7 managed operations
OSSeva Operate
Application-tier managed operations for your Spring fleet.
- Everything in Assure
- JVM performance monitoring
- 15-minute P1 incident response SLA
- Named engineer on your account
- Migration execution support
All tiers priced per cluster/application — not per core. Contact for pricing →
How it installs
OSSeva artifacts arrive via your existing package infrastructure. Pull the patched version the same way you pull upstream today — just from the OSSeva registry.
<dependency>
<groupId>io.osseva.springframework</groupId>
<artifactId>spring-core</artifactId>
<version>5.3.39-osseva-1</version>
</dependency>implementation("io.osseva.springframework:spring-core:5.3.39-osseva-1")Compliance library
Frequently asked questions
Do your Spring 5.x artifacts replace Spring Commercial from Broadcom?↓
Yes. OSSeva for Spring Framework provides CVE-patched 5.3.x artifacts that are drop-in replacements for both upstream Spring and Spring Commercial. No Broadcom subscription required.
Is Spring Boot also covered?↓
Spring Boot 2.x (which uses Spring Framework 5.x) is a separate OSSeva offering — OSSeva for Spring Boot. Both are frequently purchased together.
Ready to get Spring Framework patched and supported?
Start with a 45-minute discovery call. We confirm your version coverage, scope the engagement, and have you onboarded within your first quarter.