Introducing Share Consumer Support (Kafka Queues) in Spring for Apache Kafka

Continuing our Road to GA series, this week we're exploring Share Groups in Apache Kafka 4.0.0 and their integration in Spring for Apache Kafka 4.0.0 - a feature that fundamentally expands how we can consume messages from Kafka topics. When we first start working with Kafka, the mental model is...

ai.superstream:kafka-clients (>=3.0.1 <=3.6.1-alpha1), ai.superstream:spring-kafka (>=2.8.4-alpha1 <=3.0.1-alpha1) +1819 more potentially affected by CVE-2020-36843 via net.i2p.crypto:eddsa (>=0.1.0 <=0.3.0)

net.i2p.crypto:eddsa MAVEN version =0.1.0, =3.0.1, =2.8.4-alpha1, =0.0.1-alpha1, =0.0.6, =2.1.2, =2.1.2, =2.2, =1.1.0-dev-3, =1.10.0, =1.10.0, =1.15.0, =1.10.0, =1.10.0, =1.10.0, =1.10.0, =1.23.0 and more Source cves: CVE-2020-36843 Source advisory: SNYK:JAVA-NETI2PCRYPTO-9402849...

This Week in Spring - February 25th, 2025

Hi, Spring fans, and welcome to another rip-roarin' installment of This Week in Spring! Later today I'll board a plane for magnificent Montreal, Canada for the amazing Confoo conference! I'm super excited! Good news everybody! Spring Boot 3.5.0-M2 is now available! In last week's installment of t...

Exploit for Deserialization of Untrusted Data in Vmware Spring_For_Apache_Kafka

CVE-2023-34040 Spring Kafka Deserialization Remote Code Execut...

Deserialization Of Untrusted Data

org.springframework.kafka, spring-kafka is vulnerable to Deserialization Of Untrusted Data. The vulnerability is caused by not setting ErrorHandlingDeserializer when checkDeserExWhenKeyNull or checkDeserExWhenValueNull container properties are set to true. An attacker can construct a malicious...

This Week in Spring - August 29th, 2023 - the post SpringOne recovery blog

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm exhausted. Seriously. Last week was mental. If you need me, I'll be over sipping on a tea... But, before that, there's a ton of things to cover from this last week, as always, and there's no rest for the curious, so let's...

cn.herodotus.engine:event-message-spring-boot-starter (=3.0.1.0), com.brihaspathee.zeus:account-processor (>=1.0.0 <=1.0.1) +42 more potentially affected by CVE-2023-34040 via org.springframework.kafka:spring-kafka (>=3.0.0 <=3.0.1)

org.springframework.kafka:spring-kafka MAVEN version =3.0.0, =1.0.0, =2.0.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.4.0, =0.4.2 and more Source cves: CVE-2023-34040 Source advisory: OSV:GHSA-CRQF-Q9FP-HWJW...

Spring-Kafka has Java Deserialization vulnerability When Improperly Configured

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers...

cn.aradin:aradin-spring-actuator-starter (>=1.0.1 <=1.0.3), cn.fscode.common:common-kafka-spring-boot-starter (=0.0.1) +421 more potentially affected by CVE-2023-34040 via org.springframework.kafka:spring-kafka (>=2.8.1 <=2.9.10)

org.springframework.kafka:spring-kafka MAVEN version =2.8.1, =1.0.1, =0.0.2, =2.7.7.5, =2.7.0.0, =1.1.0, =1.0.3, =1.0.3, =3.16.2, =0.0.1, =0.0.3 - com.argusoft:medplatlms =0.0.1 - com.brihaspathee.zeus:account-processor =0.0.1 - com.brihaspathee.zeus:data-transform-service =0.0.1 and more Source...

CVE-2023-34040 Java Deserialization vulnerability in Spring-Kafka When Improperly Configured

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers...

CVE-2023-34040 Java Deserialization vulnerability in Spring-Kafka When Improperly Configured

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers...

This Week in Spring - March 28th, 202

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm reporting to you from Los Angeles, where my family and I have gone for my daughter's spring break. We're going to survey some prospective colleges and we're going to Disneyland. Needless to say, I'm doubly glad to have al...

ai.djl.spring:djl-spring-boot-starter-tensorflow-auto (>=0.15 <=0.18), ai.djl.tensorflow:tensorflow-api (>=0.15.0 <=0.18.0) +7127 more potentially affected by CVE-2022-3171 via com.google.protobuf:protobuf-java (>=3.17.0-rc-1 <=3.19.5)

com.google.protobuf:protobuf-java MAVEN version =3.17.0-rc-1, =0.15, =0.15.0, =0.15.0, =0.15.0, =3.32.1.6, =3.32.1.6-1-2.1, =3.32.1.6-1-3.0, =3.34.0.3-1-2.2, =3.34.0.3-1-2.2, =3.34.0.3-1-3.0, =3.34.0.3-1-2.2, =3.34.0.3-1-3.0, =3.0.1, =2.8.4-alpha1, =3.0.1-alpha1 and more Source cves: CVE-2022-317...

ai.superstream:kafka-clients (>=3.0.1 <=3.6.1-alpha1), ai.superstream:spring-kafka (>=2.8.4-alpha1 <=3.0.1-alpha1) +1387 more potentially affected by CVE-2021-22569 via com.google.protobuf:protobuf-java (>=3.19.0 <=3.19.1)

com.google.protobuf:protobuf-java MAVEN version =3.19.0, =3.0.1, =2.8.4-alpha1, =0.0.1-alpha1, =21.9.4, =21.9.4, =21.9.4, =21.9.4, =0.6.9-rc.2, =0.10.3, =0.10.3, =0.10.3, =0.10.3, =0.10.3, =0.10.3, =0.10.3, =0.10.4 and more Source cves: CVE-2021-22569 Source advisory: OSV:GHSA-WRVW-HG22-4M67...