This Week in Spring - August 23rd, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Weve got a ton to cover, so lets dive right into it! A Bootiful Podcast: Flowable founder Joram Barrez on a Bootiful Podcast on workflow, business process management, and more Building IoT Applications Using Fauna and Spring...

Spring Web Flow 3.0 M1 Released

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasnt been a strong driver for new releases, the upcoming Spring...

This Week in Spring - August 9th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you this fine Tuesday? Im in Kansas City for the Kansas City Developer Conference. Its a crazy fun show, and Im glad to be here. I only wish the rest of you were here, too! Weve got a packed This Week in Spring,...

Security Bulletin: Vulnerabilities in Spring Framework affect IBM Cloud Pak System (CVE-2022-22965, CVE-2020-5421)

Summary IBM Cloud Pak System is affected by a remote code execution in Spring Framework CVE-2022-22965 and CVE-2020-5421. IBM Cloud Pak System ships with AWS component that includes it but is not used by it. The fix removes Spring from the product. This security bulletin service applies to IBM...

spring-expression: Denial of service via specially crafted SpEL expression

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service...

Security Bulletin: IBM Sterling File Gateway is affected by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Sterling File Gateway is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring...

Security Bulletin: IBM Sterling B2B Integrator is affected by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Sterling B2B Integrator is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spri...

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities including remote code execution in Apache Log4j 1.x

Summary IBM Data Risk Manager IDRM 2.0.6.13, which is the only supported version, is impacted by multiple vulnerabilities including Apache Log4j 1.x CVE-2019-17571, CVE-2022-23305, CVE-2022-23307, CVE-2022-23302, CVE-2021-4104, CVE-2020-9488, CVE-2020-9493 which was bundled within hadoop-client...

This Week in Spring - August 1st, 2022

Aloha, Spring fans! Welcome to another installment of This Week in Spring! Im still on vacation on the beautiful island of Maui, Hawaii, but I wanted to say hello "aloha!" and share this weeks latest roundup of all thats good and glorious in the wide and wonderful world of Springdom. Funny thing,...

Security Bulletin: IBM Common Licensing is vulnerable by a remote code attack in Spring Framework and Apache Commons(CVE-2022-22970,CVE-2022-22971,CVE-2022-33980)

Summary IBM Common Licensing is vulnerable to a remote code execution in Spring Framework CVE-2022-22970,CVE-2022-22971 as it does have Spring Framework versions 5.3.0 to 5.3.20, 5.2.0 to 5.2.22, and older versions. IBM Common Licensing is vulnerable to a remote code execution in Apache Commons...

The vulnerability of the Spring Framework configuration implementation for microprogramming sensors for monitoring the Keysight N6841A RF device and the Keysight N6854A geolocation sensors allows a perpetrator to execute arbitrary code.

The vulnerability of the Spring Framework configuration for microprogramming sensors for monitoring Keysight N6841A RF devices, as well as the microprogramming software for geolocation systems from Keysight N6854A, lies in the recovery of unreliable data structures in memory. Exploiting this...

This Week in Spring - July 19th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! This week Im trying to wind down some threads and take some vacation with my family. Its going to be an amazing time, indeed! But that doesnt stop the deluge of novelties and news in the wide world of Springdom, so weve got a...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

spring-expression: Denial of service via specially crafted SpEL expression

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service...

Security Bulletin: Watson Machine Learning Accelerator is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22971)

Summary Watson Machine Learning Accelerator is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22971 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast t...

Temporary Directory Hijacking to Local Privilege Escalation Vulnerability in org.springframework.boot:spring-boot

spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. The vulnerable method is used to create a work directory for embedd...

springframework: Authorization Bypass in RegexRequestMatcher

A flaw was found in Spring Security. When using RegexRequestMatcher, an easy misconfiguration can bypass some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass...

springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096)

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more...

Framework: Data Binding Rules Vulnerability

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the fiel...

springframework: DoS with STOMP over WebSocket

A flaw was found in Spring Framework Applications. Applications that use STOMP over the WebSocket endpoint are vulnerable to a denial of service attack caused by an authenticated user...