Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Spring Framework (CVE-2021-22096, CVE-2022-22950)

Summary IBM Sterilng B2B Integrator has addressed security vulnerabilities in Spring Framework. Vulnerability Details CVEID:CVE-2021-22096 DESCRIPTION: VMware Spring Framework could allow a remote attacker to bypass security restrictions. By sending a specially-crafted input, an attacker could...

Security Bulletin: IBM Cloud Pak for Business Automation is affected but not classified as vulnerable by a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Cloud Pak for Business Automation is affected but not classified as vulnerable to a remote code execution in Spring Framework as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Bo...

Vmware Spring Framework Remote Code Execution (CVE-2020-5398)

A remote code execution vulnerability exists in VMware Spring Framework. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

Security Bulletin: IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework [CVE-2022-22965]

Summary IBM Case Manager is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965. To be vulnerable a product must meet all of the following criterias: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast t...

This Week in Spring - September 27th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Its the last week of September, already! The years more done than not. The days are receding into darkness earlier. And the Pumpkin Spice Lattes are upon us. The darker and colder days are kind of a bummer, but Im stil excite...

Native Support in Spring Boot 3.0.0-M5

The Spring Team has been working on native image support for Spring Applications for quite some time. After 3+ years of incubation in the Spring Native experimental project with Spring Boot 2, native support is moving to General Availability with Spring Framework 6 and Spring Boot 3! Native image...

Nepxion 代码问题漏洞

Nepxion is a China Nepxion open source based on Spring & Spring Boot & Spring Cloud framework. Nepxion Discovery There is a code issue vulnerability , the vulnerability stems from the vulnerability to potential server-side request forgery SSRF attacks , the attacker can use the vulnerability can...

Security Bulletin: IBM Sterling Partner Engagement Manager vulnerable to denial of service due to Apache Shiro (CVE-2022-32532)

Summary IBM Sterling Partner Engagement Manager uses Apache Shiro library 1.9.1, where A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. The issue has been addressed. Vulnerability Details CVEID:CVE-2022-22970 DESCRIPTION: Vmware Tanzu Spring Framework is...

Security Bulletin: IBM Sterling Partner Engagement Manager is vulnerable to a denial of service due to Vmware Tanzu Spring Framework (CVE-2022-22971)

Summary IBM Sterling Partner Engagement Manager uses Vmware Tanzu Spring Framework that is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. The issue has been addressed. Vulnerability Details CVEID:CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework ...

A Bootiful Podcast: Couchbase and Cloud legend Laurent Doguin

Hi, Spring fans! In this installment, Josh Long @starbuxman talks to his friend, fellow Java Champion, and director of developer relations and strategy at Couchbase, Laurent Doguin @ldoguin SpringOne 2022 is almost here! This is our first in-person event since the pandemic and its when we release...

This Week in Spring - September 20th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...

Security Bulletin: Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench is vulnerable to a denial of service attack in Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a security issue affecting Rational Test Control Panel Vulnerability Details CVEID:CVE-2022-22971 DESCRIPTION: Vmware Tanzu Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of service by authenticated user due to Spring Framework (CVE-2022-22971)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw with a STOMP over WebSocket endpoint. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses...

Security Bulletin: IBM Sterling Control Center is vulnerable to denial of servicedue to Spring Framework (CVE-2022-22970)

Summary Spring Framework is vulnerable to a denial of service, caused by a flaw in the handling of file uploads. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition. IBM Sterling Control Center uses Spring...

springframework: malicious input leads to insertion of additional log entries

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries...

Security Bulletin: IBM QRadar SIEM includes components with multiple known vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has addressed the relevant vulnerabilities. Vulnerability Details CVEID:CVE-2021-43859 DESCRIPTION: XStream is vulnerable to a denial of service, caused by...

This Week in Spring - August 23rd, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! Weve got a ton to cover, so lets dive right into it! A Bootiful Podcast: Flowable founder Joram Barrez on a Bootiful Podcast on workflow, business process management, and more Building IoT Applications Using Fauna and Spring...

Spring Web Flow 3.0 M1 Released

It has been almost 4 years since the last set of Spring Web Flow releases. Nevertheless, the project continues to serve a specific need particularly well, arguably better than alternatives, and remains in active use. While there hasnt been a strong driver for new releases, the upcoming Spring...

This Week in Spring - August 9th, 2022

Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you this fine Tuesday? Im in Kansas City for the Kansas City Developer Conference. Its a crazy fun show, and Im glad to be here. I only wish the rest of you were here, too! Weve got a packed This Week in Spring,...

Security Bulletin: Vulnerabilities in Spring Framework affect IBM Cloud Pak System (CVE-2022-22965, CVE-2020-5421)

Summary IBM Cloud Pak System is affected by a remote code execution in Spring Framework CVE-2022-22965 and CVE-2020-5421. IBM Cloud Pak System ships with AWS component that includes it but is not used by it. The fix removes Spring from the product. This security bulletin service applies to IBM...