Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060)

Summary IBM Sterilng B2B Integrator has addressed a security vulnerability in Spring Framework. Vulnerability Details CVEID:CVE-2021-22060 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. B...

Spring at JavaOne 2022

Hi, Spring fans! Its Sunday the 16th of October as I write this and Im winging my way to sunny Las Vegas, Nevada, where Ill be attending and presenting at the first JavaOne show in years! It didnt exist as the JavaOne we know and love for years, even before the pandemic interrupted life as we kno...

Learn more about Spring Framework 6 and Spring Boot 3 in these two great talks from Devoxx 2022

Hi, Spring fans! I was just at Devoxx in Belgium, where hundreds of experts from across the Java ecosystem converged for the first time since 2019 to deliver their biggest and best. I could do a proper trip report, but I really just came here to point you to two talks from two of my amazing...

Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Spring Framework (CVE-2021-22096, CVE-2022-22950)

Summary IBM Sterilng B2B Integrator has addressed security vulnerabilities in Spring Framework. Vulnerability Details CVEID:CVE-2021-22096 DESCRIPTION: VMware Spring Framework could allow a remote attacker to bypass security restrictions. By sending a specially-crafted input, an attacker could...

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Bo...

Vmware Spring Framework Remote Code Execution (CVE-2020-5398)

A remote code execution vulnerability exists in VMware Spring Framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

Security Bulletin: IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965. To be vulnerable a product must meet all of the following criterias: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast t...

This Week in Spring - September 27th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its the last week of September, already! The years more done than not. The days are receding into darkness earlier. And the Pumpkin Spice Lattes are upon us. The darker and colder days are kind of a bummer, but Im stil excite...

Native Support in Spring Boot 3.0.0-M5

The Spring Team has been working on native image support for Spring Applications for quite some time. After 3+ years of incubation in the Spring Native experimental project with Spring Boot 2, native support is moving to General Availability with Spring Framework 6 and Spring Boot 3! Native image...

Nepxion 代码问题漏洞

Nepxion is a China Nepxion open source based on Spring & Spring Boot & Spring Cloud framework. Nepxion Discovery There is a code issue vulnerability , the vulnerability stems from the vulnerability to potential server-side request forgery SSRF attacks , the attacker can use the vulnerability can...

Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532)

Summary IBM Sterling Partner Engagement Manager uses Apache Shiro library 1.9.1, where A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. The issue has been addressed. Vulnerability Details CVEID:CVE-2022-22970 DESCRIPTION: Vmware Tanzu Spring Framework is...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971)

Summary IBM Sterling Partner Engagement Manager uses Vmware Tanzu Spring Framework that is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. The issue has been addressed. Vulnerability Details CVEID:CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework ...

A Bootiful Podcast: Couchbase and Cloud legend Laurent Doguin

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to his friend, fellow Java Champion, and director of developer relations and strategy at Couchbase, Laurent Doguin @ldoguin SpringOne 2022 is almost here! This is our first in-person event since the pandemic and its when we release...

This Week in Spring - September 20th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...

Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench is vulnerable to a denial of service attack in Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a security issue affecting Rational Test Control Panel Vulnerability Details CVEID:CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service by authenticated user due to Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of servicedue to Spring Framework (CVE-2022-22970)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses Spring...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

The vulnerability of the Spring Framework software platform, related to improper code generation management, allows attackers to execute arbitrary code.

The vulnerability of the Spring Framework software platform is related to incorrect code generation management. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely, using a specially created .jar file...

Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has addressed the relevant vulnerabilities. Vulnerability Details CVEID:CVE-2021-43859 DESCRIPTION: XStream is vulnerable to a denial of service, caused by...