Important: Red Hat Security Advisory: Red Hat support for Spring Boot 2.7.17 security update

An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from t...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.1 release security update

Red Hat Integration Camel for Spring Boot 4.0.1 release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for ea...

This Week in Spring - October 24th, 2023

Hi, Spring fans! This week I'm in Lisbon, and Porto, Portugal, ahead of the Porto Tech Hub event in Porto, and my tour bus is about to leave! So, let's dive right into it! Spring Authorization Server 1.1.3, 1.0.4 and 0.4.4 available now Spring Authorization Server 1.2.0-RC1 available now Spring...

This Week in Spring - October 17th, 2023

Hi, Spring fans! Welcome to yet another installment of This Week in Spring! It's October 17th, 2023, and I am here in Montreal, Canada, and then I'm off to Salt Lake City, Utah on Thursday for the Java User Group there. Don't miss it! We've got a lot to cover this week so let's dive right into it...

Runtime efficiency with Spring (today and tomorrow)

With Spring Framework 6.1 and Spring Boot 3.2 general availability approaching, we would like to share an overview about several efforts the Spring team is pursuing to allow developers to optimize the runtime efficiency of their applications. We are going to cover the following technologies and u...

Authentication Bypass

org.apache.shiro: shiro-spring is vulnerable to Authentication Bypass. The vulnerability is due to different pattern matching techniques between Spring-Boot 2.6+ and Apache Shiro. This can result in an authentication bypass. As a workaround, set the following Spring Boot configuration value:...

Moderate: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 4.0.0 release and security update

Red Hat Integration Camel for Spring Boot 4.0.0 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

This Week in Spring - October 3rd, 2023

Hi Spring fans! Welcome to another installment of This Week in Spring! How're you doin'? I've just flown in from Singapore - where I was keynoting and presenting at SpringOne Singapore - and am now in Antwerp, Belgium for the deliriously fun Devoxx Belgium show. I've missed this show, and it's a...

Apache Shiro < 1.11.0 Authentication Bypass

Apache Shiro before 1.11.0, when using Apache Shiro with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot 2.6 default to An...

Paketo Buildpacks Bionic End Of Support

The Spring Boot plugins for Maven and Gradle provide the ability to build Docker images using Cloud Native Buildpacks. By default, Spring Boot uses the CNB builders provided by the Paketo Buildpacks project. What's Changed The Paketo Buildpacks project has announced that Ubuntu 18.04 Bionic-based...

Spring Tips: Making the joyful jump to Java 21

Hi, Spring fans! Java 21 and GraalVM supporting Java 21 are at long last here! It's been a long time in coming, but Java 21 - which comes out later today on the 19th of September, 2023 - brings with it some of the most exciting new features of any Java release. In this video, I will look at some ...

This Week in Spring - September 19th, 2023 (Java 21 Edition)

Hi, Spring fans! Welcome to another installment of This Week in Spring - Java 21 edition! The big news, indeed, the biggest news, is that Java 21 is now available here! You should use SDKMAN to install it, like this: sdk install java 21-graalce && sdk default java 21-graalce. This install givews...

Lenosp Code Issues Vulnerabilities

Lenosp is a Spring Boot 2.0 rapid development modular scaffolding organized by Zhengzhou Programmers zzdevelop in China. A security vulnerability exists in Lenosp versions 1.0.0 to 1.2.0. The vulnerability stems from an arbitrary file upload vulnerability in the /user/upload component, which allo...

spring-boot: Security Bypass With Wildcard Pattern Matching on Cloud Foundry

A flaw was found in Spring Boot. This targets specifically 'spring-boot-actuator-autoconfigure' package. This issue occurs when an application is deployed to Cloud Foundry, which could be susceptible to a security bypass. Specifically, an application is vulnerable when all of the following are...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.20.2 release and security update

Red Hat Integration Camel for Spring Boot 3.20.2 release and security update is now available. Red Hat Product Security has rated this update as having an impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Important: Red Hat Security Advisory: Red Hat Integration Camel for Spring Boot 3.18.3.2 release and security update

Red Hat Integration Camel for Spring Boot 3.18.3.2 release and security update is now available. The purpose of this text-only errata is to inform you about the security issues fixed in this release. Red Hat Product Security has rated this update as having an impact of Important. A Common...

This Week in Spring - September 12th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you this fine 12th of September? I'm doing alright, elated, even. I've just returned from beautiful Oslo, Norway, and I've got a busy 30 days or so ahead, starting today. I'm visiting Seattle, WA; Mexico City, Mexico;...

All together now: Spring Boot 3.2, GraalVM native images, Java 21, and virtual threads with Project Loom,

This has been a very long time in coming, but finally we can create GraalVM native images that use Spring Boot via Spring Boot 3.2 and Java 21's virtual threads Project Loom! Why does all this matter? Each of these individual things, Project Loom, and GraalVM native images, offer compelling runti...

Important: Red Hat Security Advisory: Red Hat Process Automation Manager 7.13.4 security update

An update is now available for Red Hat Process Automation Manager. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which provides a detailed severity rating, is available for each vulnerability from th...

spring-boot: Spring Boot Welcome Page DoS Vulnerability

A flaw was found in Spring Boot, occurring prominently in Spring MVC with a reverse proxy cache. This issue requires Spring MVC to have auto-configuration enabled and the application to use Spring Boot's welcome page support, either static or templated, resulting in the application being deployed...