This Week in Spring - August 13th, 2024

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's Tuesday and work is well underway to prepare for the huge SpringOne event in Las Vegas in just a few short week's time! I'm elated! So, let's get this roundup on the road so I can get back to the preparation frenzy...

Spring AI Embraces OpenAI's Structured Outputs: Enhancing JSON Response Reliability

OpenAI recently introduced a powerful feature called Structured Outputs, which ensures that AI-generated responses adhere strictly to a predefined JSON schema. This feature significantly improves the reliability and usability of AI-generated content in real-world applications. Today, we're excite...

A Bootiful Podcast: Spring Cloud Dataflow, Spring Cloud Task, and Spring Batch legend Glenn Renfro

Hi, Spring fans! In this installment, I talk to Spring Cloud Dataflow, Spring Cloud Task, and Spring Batch legend Glenn Renfro...

Spring Tips: HTMX

Hi, Spring fans! HTMX is the progressive hypertext sensation that's sweeping the process of web app creation, and - thanks to a nice integration by Spring community legend Wim Deblauwe, it's easier than ever to use it with Spring Boot and Thymeleaf. And, it's the topic of today's installment! jav...

This Week in Spring - August 6th, 2024

It's August! Egads, has that come quickly! AUGUST. The eigth month of the year, and we're almost done with the first week, in fact! It's not that I'm not grateful to be here, but, yah, wow that was quick. And, of course, the month of my all time double dutch favorite conference, SpringOne,...

cn.centychen:xxl-job-spring-boot-starter (>=1.0.0-RELEASE <=1.0.1-RELEASE), cn.com.365trade.oss:xxl-job-admin (>=2.2.1.1_zzlh <=2.2.1_zzlh) +31 more potentially affected by CVE-2023-45146 via com.xuxueli:xxl-rpc-core (>=1.2.0 <=1.6.0)

com.xuxueli:xxl-rpc-core MAVEN version =1.2.0, =1.0.0-RELEASE, =2.2.1.1zzlh, =2.2.1.1zzlh, =1.1.1, =2.1.1-RELEASE, =0.0.1, =0.0.1, =2.0.4, =2.0.4, =0.0.1, =2.0.5 and more Source cves: CVE-2023-45146 Source advisory: OSV:GHSA-F984-3WX8-GRP9...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to phishing attacks in VMware Tanzu Spring Framework [CVE-2024-22262]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to phishing attacks in VMware Tanzu Spring Framework, caused by an open redirect vulnerability in UriComponentsBuilder CVE-2024-22262. VMware Tanzu Spring Framework is used in our Speech Microservices. This...

A Bootiful Podcast: Observability legend Jonatan Ivanov on the latest and greatest in Micrometer

Hi, Spring fans! In this installment we talk to observability legend Jonatan Ivanov about the latest and greatest in the wide and wonderful world of observability. Turns out a library that's used by countless projects including and beyond the Spring ecosystem keeps quite busy!...

Spring Tips: Spring Security method security with special guest Rob Winch

Hi, Spring fans! In this installment I have special guest Spring Security lead Rob Winch give us a master class in how the method security support works and some of its new features. Come for the security, stay for the incredible opportunity to look over a senior engineer's shoulders as he explai...

Spring AI with Groq - a blazingly fast AI inference engine

Faster information processing not only informs - it transforms how we perceive and innovate. Spring AI, a powerful framework for integrating AI capabilities into Spring applications, now offers support for Groq - a blazingly fast AI inference engine with support for Tool/Function calling...

Security Bulletin: IBM Common Licensing's Administration And Reporting Tool (ART) and IBM LKS Administration Agent are affected by Spring Framework vulnerabilities.

Summary Multiple vulnerabilites in Spring Framework affect IBM Common Licensing. Security Vulnerablities have been addressed in IBM Common Licensing. Remediations/Fixes section address remediation actions. Vulnerability Details CVEID:CVE-2023-20863 DESCRIPTION: VMware Tanzu Spring Framework is...

br.com.m4rc310:br-com-m4rc310-graphql (=1.0.1), br.com.m4rc310:br-com-m4rc310-libs (=1.0.1) +880 more potentially affected by CVE-2024-40094 via com.graphql-java:graphql-java (>=0.0.0-2021-06-27T12-22-33-cd2bab76 <=19.1)

com.graphql-java:graphql-java MAVEN version =0.0.0-2021-06-27T12-22-33-cd2bab76, =6.0.0, =6.0.3, =6.0.0, =6.0.0, =6.0.0, =6.0.0, =6.2.0, =6.0.0, =6.0.0, =6.0.3, =0.1.0, =1.0.0, =1.2.1 and more Source cves: CVE-2024-40094 Source advisory: OSV:GHSA-H9MQ-F6Q5-6C8M...

This Week in Spring - July 29th, 2024

Hi Spring fans! Welcome to another installment of This Week in Spring! It's July 29th, 2024! I can hardly believe it! We're less than a month away from SpringOne 2024! Have you registered for either in-person attendance or the free livestreams yet? As always, we've got a ton of stuff to cover so...

Security Bulletin: Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager (CVE-2024-22259, CVE-2024-22243, CVE-2024-22262).

Summary Vulnerability in Spring Framework affects IBM Tivoli Application Dependency Discovery Manager CVE-2024-22259, CVE-2024-22243, CVE-2024-22262. IBM has addressed the vulnerabilities. Vulnerability Details CVEID:CVE-2024-22262 DESCRIPTION: VMware Tanzu Spring Framework could allow a remote...

Remote Code Execution (RCE)

org.springframework.cloud: spring-cloud-skipper-server is vulnerable to Remote Code Execution RCE. The vulnerability is caused due to improper validation of upload requests, allowing a malicious user with access to the Skipper server API to write an arbitrary file to any location on the file...

Spring AI with Ollama Tool Support

Earlier this week, Ollama introduced an exciting new feature: tool support for Large Language Models LLMs. Today, we're thrilled to announce that Spring AI 1.0.0-SNAPSHOT has fully embraced this powerful feature, bringing Ollama's function calling capabilities to the Spring ecosystem. Ollama's to...

Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.4.1 for Spring Boot security update.

Red Hat build of Apache Camel 4.4.1 for Spring Boot release and security update is now available. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available fo...

spring-security: Broken Access Control With Direct Use of AuthenticatedVoter

A broken access control flaw was found in Spring Security. Applications may be vulnerable when directly using the AuthenticatedVotervote passing a NULL authentication parameter...

spring-security: Broken Access Control in Spring Security With Direct Use of isFullyAuthenticated

A vulnerability was found in Spring Security. This issue may lead to Broken Access Control, allowing a malicious user to impact the Confidentiality and Integrity of an application or server. This requires the application to use AuthenticationTrustResolver.isFullyAuthenticatedAuthentication direct...

org.springframework.cloud.stream.app:spring-cloud-starter-stream-sink-task-launcher-dataflow (>=1.0.0.RELEASE <=1.0.2.RELEASE), org.springframework.cloud.stream.app:spring-cloud-stream-app-starters-docs (>=Einstein.RELEASE <=Einstein.SR5) +46 more potentially affected by CVE-2024-37084 via org.springframework.cloud:spring-cloud-skipper (>=1.0.0.RELEASE <=2.11.3)

org.springframework.cloud:spring-cloud-skipper MAVEN version =1.0.0.RELEASE, =1.0.0.RELEASE, =Einstein.RELEASE, =1.0.0.RELEASE, =1.0.0.RELEASE, =1.1.1.RELEASE, =1.1.1.RELEASE, =Clark.SR1, =2.11.0, =2.0.0.RELEASE, =2.0.0.RELEASE, =1.6.0.RELEASE, =2.0.0.RELEASE, =2.11.3 -...