286 matches found
Introducing Microservices Patterns with Spring Integration
Hey Spring Community! I hope you are enjoying Spring One Essentials these days. The most exciting feature for me is an Observability which is spread throughout the Spring portfolio from now on. Nevertheless, today I’d like to share with a project I’m working on since holidays, where the mentioned...
Moderate: Red Hat Security Advisory: Red Hat AMQ Streams 2.3.0 release and security update
Red Hat AMQ Streams 2.3.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...
userver 安全漏洞
userver is a modern open source asynchronous framework from userver open source. Used to create C++ microservices, services and utilities quickly and comfortably. A security vulnerability exists in userver that stems from the fact that it allows an attacker to implement a denial of service via a...
Security Bulletin: IBM InfoSphere Information Server is affected by a denial of service vulnerability in Apache Kafka (CVE-2022-34917)
Summary A denial of service vulnerability in Apache Kafka used by IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2022-34917 DESCRIPTION: Apache Kafka is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request...
Design/Logic Flaw
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...
CVE-2022-39388 Istio may allow identity impersonation if user has localhost access
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...
CVE-2022-39388
CVE-2022-39388 affects Istio on the 1.15.x branch prior to 1.15.3. If a user has localhost access to the Istiod control plane, they can impersonate any workload identity within the service mesh due to an issue in the authentication/identity flow. The issue is publicly documented as fixed in 1.15....
CVE-2022-39388 Istio may allow identity impersonation if user has localhost access
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...
CVE-2022-39388 Istio may allow identity impersonation if user has localhost access
Istio is an open platform to connect, manage, and secure microservices. In versions on the 1.15.x branch prior to 1.15.3, a user can impersonate any workload identity within the service mesh if they have localhost access to the Istiod control plane. Version 1.15.3 contains a patch for this issue...
Security Bulletin: Multiple Security Vulnerabilities in IBM WebSphere Liberty affects IBM Voice Gateway
Summary Multiple security vulnerabilities in IBM WebSphere Liberty affect certain IBM Voice Gateway microservices. Vulnerability Details CVEID:CVE-2022-34165 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.9...
8 KB is not enough: why WAFs can’t protect APIs
WAFs were a top-notch security instrument a decade ago, but now they are not. They fail to protect APIs. Meanwhile, the number of API-specific vulnerabilities grew more than twofold in 2022. According to a report by Wallarm, many such vulnerabilities have critical severity, and 33% are immediatel...
CVE-2022-39271
CVE-2022-39271 affects Traefik, a modern HTTP reverse proxy/load balancer. The vulnerability lies in HTTP/2 connection handling where closing an HTTP/2 server connection could hang due to a subsequent fatal error, potentially enabling a denial-of-service condition. A patch has been released in Tr...
CVE-2022-39271 Traefik HTTP/2 connections management could cause a denial of service
Traefik pronounced traffic is a modern HTTP reverse proxy and load balancer that assists in deploying microservices. There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure...
Important: Red Hat Security Advisory: Red Hat AMQ Streams 2.2.0 release and security update
Red Hat AMQ Streams 2.2.0 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...
Hertz path traversal vulnerability
Hertz is a Golang microservices HTTP framework open sourced by CloudWeGo. v0.3.0 of Hertz contains a path traversal vulnerability that stems from a failure of the normalizePath function to properly filter special elements in a resource or file path. An attacker could exploit this vulnerability to...
A Bootiful Podcast: thought leader Chris Richardson (and no, I'm not using that title ironically!)
Hi, Spring fans! In this installment, Josh Long @starbuxman talks to his friend Chris Richardson @crichardson, who helped articulate and advance cloud computing, reactive programming, microservices, domain-driven design, event sourcing, and so much more years before the zeitgeist. Also, we used t...
GHSA-C9QR-F6C8-RGXF Hertz contains path traversal via normalizePath function
Hertz is a a high-performance and strong-extensibility Go HTTP framework that helps developers build microservices. Versions of Hertz prior to 0.3.1 contain a path traversal vulnerability via the normalizePath function. This issue has been patched in 0.3.1...
crAPI - Completely Ridiculous API
c ompletely r idiculous API crAPI will help you to understand the ten most critical API security risks. crAPI is vulnerable by design, but you'll be able to safely run it to educate/train yourself. crAPI is modern, built on top of a microservices architecture. When time has come to buy your first...
Apache SkyWalking Denial of Service Vulnerability
Apache SkyWalking is an application performance monitor from the Apache Foundation that is primarily used in environments such as microservices, cloud-native and container-based. A denial of service vulnerability exists in Apache SkyWalking NodeJS Agent prior to version 0.5.1, which stems from an...
CVE-2022-31053
Biscuit is an authentication and authorization token for microservices architectures. The Biscuit specification version 1 contains a vulnerable algorithm that allows malicious actors to forge valid Γ-signatures. Such an attack would allow an attacker to create a token with any access level. The...