This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week Im in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, Ill be in New York to join a viewing party for the airing of SpringOne...

This Week in Spring - January 17th, 2023

Hi, Spring fans! Welcome to another installment of This Week in Spring! I went to Helsinki, Finland, last week, and this week I'm in Atlanta, Georgia, to speak at the Atlanta Java User Group. And, of course, next week, I'll be in New York to join a viewing party for the airing of SpringOne...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation with Spring Framework (CVE-2022-22950).

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. This appears in the Java code used by some of our service components. Please read the details for...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a data binding rules security weakness in Spring Framework (CVE-2022-22968)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a Spring framework data binding rules vulnerability, where case sensitive patterns for disallowedFields cause weaker than expected security CVE-2022-22968. Spring Framework is used by some of the java...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to improper input validation in Spring Framework (CVE-2022-22950)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to a denial of service, caused by improper input validation in VMware Tanzu Spring Framework CVE-2022-22950. Spring Framework is used in Watson Speech Services to build our STT and TTS java services Please read...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell-CVE-2022-22965-POC bash ghost㉿uchiha:$ ./exp...

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast to a Spring Boo...

Security Bulletin: IBM Tivoli Monitoring is affected but not classified as vulnerable by a denial of service in Spring Framework (CVE-2022-22950)

Summary IBM Tivoli Monitoring is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22950. The Tivoli Enterprise Portal Server CQ component includes but does not use it. The fix removes Spring from the product. Vulnerability Details...

This Week in Spring - December 20th, 2022

Hi, Spring fans! Its the 20th of December, 2022 as I write this, which means that by the time we meet again, here on this humble blog, Tuesday next week, Christmas will already have come and gone. Chanukah is already here! Time is sure flying! So, to those of you who celebrate: Happy Chanukah,...

spring-expression: Denial of service via specially crafted SpEL expression

A flaw was found in the Spring Framework. This flaw allows an attacker to craft a special Spring Expression, causing a denial of service...

Exploit for Code Injection in Vmware Spring_Framework

Spring4Shell-PoC Application This application has been contai...

New Go-based Botnet Exploiting Exploiting Dozens of IoT Vulnerabilities to Expand its Network

NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai. A novel Go-based botnet called Zerobot has been observed in the wild proliferating by taking advantage of nearly two dozen...

TERASOLUNA Server Framework vulnerable to ClassLoader manipulation

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input...

GHSA-Q5J9-F95W-F4PR TERASOLUNA Server Framework vulnerable to ClassLoader manipulation

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to ClassLoader manipulation due to using the old version of Spring Framework which contains the vulnerability. The vulnerability is caused by an improper input...

CVE-2022-43484

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an...

Input validation

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an...

CVE-2022-43484

The CVE-2022-43484 issue affects TERASOLUNA Global Framework 1.0.0 and TERASOLUNA Server Framework for Java (Rich) 2.0.0.2–2.0.5.1, caused by improper input validation in the binding mechanism of Spring MVC due to an old Spring Framework version. By processing a specially crafted file, an attacke...

CVE-2022-43484

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an...

CVE-2022-43484

TERASOLUNA Global Framework 1.0.0 Public review version and TERASOLUNA Server Framework for Java Rich 2.0.0.2 to 2.0.5.1 are vulnerable to a ClassLoader manipulation vulnerability due to using the old version of Spring Framework which contains the vulnerability.The vulnerability is caused by an...