697 matches found
Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968)
Table of Contents Overview Does This Affect My Application? Reassessing Your Data Binding Approach Overview While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not...
CVE-2022-22978: Authorization Bypass in RegexRequestMatcher
UPDATES 05-17 Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction. CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22978 : Authorization Bypass in...
CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible. Impact Users who have applied the mitigation should take note of the...
CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities
Updates 11-27 Blog posts updated to refer to the CVE reports published The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon ...
Spring Framework RCE, Early Announcement
Updates 04-13 "Data Binding Rules Vulnerability CVE-2022-22968" follow-up blog post published, related to the "disallowedFields" from the Suggested Workarounds 04-08 Snyk announces an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release announcement 04-04...
CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible...
Spring Cloud Function for Azure Function
What is the Spring Cloud Function? Spring Cloud Function is a SpringBoot-based framework allowing users to concentrate on their business logic by implementing them as Java Functions i.e., Supplier, Function, Consumer. In turn the framework provides necessary abstraction to enable execution of the...
Creating a custom Spring Cloud Gateway Filter
In this article, we look into writing a custom extension for Spring Cloud Gateway. Before we get started, let’s go over how Spring Cloud Gateway works: 1. First, a client makes a network request to the Gateway 2. The Gateway is defined with a number of routes, each with Predicates to match the...
CVE report published for Spring Framework
We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5...
Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)
Updates 06-20 CVE-2022-22980 is published 06-20 Spring Data MongoDB 3.4.1 and 3.3.5 are available Table of Contents Overview Vulnerability Am I Impacted Status Suggested Workarounds Overview We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the followi...
Spring Framework RCE, Mitigation Alternative
Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcats side. While the vulnerability is not in...
CVE-2022-31684: Reactor Netty HTTP Server may log request headers
The Reactor Netty 1.0.24 release on October 11 included fix for CVE-2022-31684 affecting Reactor Netty HTTP Server. Users are encouraged to update as soon as possible. Reactor Netty is used internally in many frameworks including Spring WebFlux and its WebClient. If you have a Spring Boot...
CVE report published for Spring Cloud Function
We have released Spring Cloud Function 3.1.7 & 3.2.3 to address the following CVE report. CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression Please review the information in the CVE report and upgrade immediately...
Spring Tips: Spring Security method security with special guest Rob Winch
Hi, Spring fans! In this installment I have special guest Spring Security lead Rob Winch give us a master class in how the method security support works and some of its new features. Come for the security, stay for the incredible opportunity to look over a senior engineer's shoulders as he explai...
Interesting new filters on Spring Cloud Gateway 4.0
Spring Cloud Gateway 4.0 is finally here! Thanks to our community contributions we have introduced new features and interesting filters. This blog post details new noteworthy and explains some of the new filters included, how they work and how you can use it to provide more insights into your...
This Week in Spring - April 19th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! Its been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs Ill have are the amazing memories and...
Observability with Spring Boot 3
The Spring Observability Team has been working on adding observability support for Spring Applications for quite some time, and we are pleased to inform you that this feature will be generally available with Spring Framework 6 and Spring Boot 3! What is observability? In our understanding, it is...
Context Propagation with Project Reactor 2 - The bumpy road of Spring Cloud Sleuth
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative Spring Cloud Sleuth recently became Micrometer Tracing, part of the Micrometer project. Most of the tracing instrumentation is centered within Micrometer und...
This Week in Spring - March 21st, 2023
Hi, Spring fans! Welcome to another rip roaring installment of This Week in Spring! It's March 21st and today they announced Java 20! It's an exciting time to be a Java developer. Java 20, of course, is just another amazing installment before Java 21, which comes out in six short months, includin...
This Week in Spring - May 23rd, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 23rd and, famously, nothing major has happened in the last week OH WAIT WE RELEASED SPRING BOOT 3.1! Have you checked it out yet? It's dope. I did a Spring Tips installment looking at some of its features here that y...
CVE-2022-22976: BCrypt skips salt rounds for work factor of 31
Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible...
This Week in Spring - October 25th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! When last we spoke, I was in Las Vegas, NV, for the JavaOne show. It was amazing! Im in sunny Singapore, then off to Malaysia and Thailand. Its the first time Ive been to any of these places since 2019! How good it is to be...
This Week in Spring - November 1st, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! Howre you doin? I hope youre doing well and had a great Halloween if you celebrate. Im doing great. Im in sunny Kuala Lumpur, Malaysia, eating delicious food and hanging out with amazing people. Tomorrow, Im off to Penang,...
Securing Spring Boot Applications With SSL
Secure Sockets Layer SSL and Transport Layer Security TLS are key components of securing communications between systems in a layered or service-oriented architecture. Spring Boot applications in such an architecture often accept incoming network connections or create outgoing connections, and...
Spring Data REST Vulnerability (CVE-2022-31679)
Updates - 09-19 Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released - 09-19 Blog post updated to refer to the CVE report published The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include...
Context Propagation with Project Reactor 3 - Unified Bridging between Reactive and Imperative
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative We concluded the last article with the thought that Spring Cloud Sleuth’s MANUAL context propagation strategy is both performant and provides correct...
Spring Data JDBC - How To Maintain Your Database Schema
This is the fifth article of a series about how to tackle various challenges you might encounter when using Spring Data JDBC. The series consists of: 1. Spring Data JDBC - How to use custom ID generation? 2. Spring Data JDBC - How do I make bidirectional relationships?. 3. Spring Data JDBC - How ...
This Week in Spring - June 21st, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? Its been a hot minute since we last chatted. I was in Germany this time last week. Now, Im back in beautiful San Francisco. Today the weather will climb to a monumental 84 F! Thats very unusual, for any time of t...
Active Health Check strategies with Spring Cloud Gateway
Active health check strategies with Spring Cloud Gateway Nowadays, applications are built as a collection of small independent upstream services. This accelerates development and allows modules to be focused on specific responsibilities, increasing their quality. This is one of the main advantage...
Spring WS Samples upgraded for Spring Boot 3.0!
With the recent announcement of Spring Boot 3.0 going GA, some of you may be interested in upgrading your Spring Web Services-based applications to take full advantage of this. The Spring WS team has upgraded our set of sample apps to help you carry that out. The main branch now tracks the versio...
CVE report published for Spring Security OAuth
We have released Spring Security OAuth 2.5.2 to address the following CVE report. CVE-2022-22969: Denial-of-Service DoS in spring-security-oauth2 This vulnerability exposes OAuth 2.0 Client applications only. Please review the information in the CVE report and upgrade immediately...
CVE-2024-22233: Spring Framework server Web DoS Vulnerability
The Spring Framework 6.0.16 and 6.1.3 releases shipped on January 11th includes a fix for CVE-2024-22233. The Spring Boot 3.1.8 and 3.2.2 releases shipped last week upgrade to the relevant Spring Framework versions. Users are encouraged to update as soon as possible...
Spring Authorization Server is on Spring Initializr!
Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr! That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most fr...
This Week in Spring - January 9th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the second week of 2024, and I am already thinking about 2025! And, a bit more immediatelt than that: the next two weeks. I'll be at both VOXXED DAYS Ticino and VOXXED DAYS CERN, both in Switzerland. If you're about, com...
Simplified Event Externalization with Spring Modulith
Transactional service methods are a common pattern in Spring applications. These methods trigger a state transition important to the business. This usually involves a core domain abstraction, such as an aggregate and its corresponding repository. A stereotypical example of such an arrangement mig...
Spring Security OAuth reaches End-of-Life
The Spring Security OAuth and Spring Security OAuth Boot 2 auto-configuration projects have reached end of life. The Spring Security OAuth project has been replaced by the Client and Resource Server support provided by Spring Security and the Authorization Server support provided by Spring...
CVE Report Published for Spring Tools
We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. Eclipse: STS...
This Week in Spring - April 25th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? I'm en route to Bangalore, India, via Frankfurt, for the Developer Summit 2023 edition. It's going to be a ton of fun, and I hope you won't miss it! para Spring Boot 3.1.0-RC1 available now One of the most exciti...
Azure Spring Apps Enterprise is now generally available
Hi, Spring fans! This is a guest post by Julia Liuson, President, Developer Division, Microsoft Azure Spring Cloud is now Azure Spring Apps We launched Azure Spring Cloud with VMware in 2019 to solve common challenges developers, IT operators, and DevOps teams face when running Spring Boot...
This Week in Spring - August 16th, 2022
Hi, Spring fans! Welcome to another wonder-filled installment of This Week in Spring! Its been a week! Sometimes I can scarcely believe it myself. And can you believe its August 16th already?? My daughters starting school this week! Were in the northern hemisphere, and Summer break is already ove...
Spring Tips: Learn Spring for GraphQL (parts 5 and 6 of an ongoing series)
Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...
Using Spring for GraphQL with Spring Data Neo4j
Introduction This is a guest blog post by Gerrit Meier from Neo4j who maintains the Spring Data Neo4j module. A few weeks ago version 1.2.0 of Spring for GraphQL was released with a bunch of new features. This also includes even better integration with Spring Data modules. Motivated by those...
This Week in Spring - July 25th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! Look, I'm going to level with you. This is the view from where I'm staying on holiday right now in tropical Lankawi, Malaysia: I'm super interested in this week's roundup, as always, but I'm also very interested in that...
Native Support in Spring Boot 3.0.0-M5
The Spring Team has been working on native image support for Spring Applications for quite some time. After 3+ years of incubation in the Spring Native experimental project with Spring Boot 2, native support is moving to General Availability with Spring Framework 6 and Spring Boot 3! Native image...
This Week in Spring - September 20th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...
Spring Tools 4.15.1 released
Dear Spring Community, I am happy to announce the 4.15.1 release of the Spring Tools 4 for Eclipse, Visual Studio Code, and Theia. fixes and improvements Spring Boot fixed: VScode incorrectly suggests removing @Autowired annotation from methods 787 Spring Boot fixed: VScode quick fix should not...
The 2022 State of Spring Survey Report
Hi, Spring fans! You're awesome! I know you're awesome. You know you're awesome. And the Spring team works for you. We like working for you because you dream awesome dreams and build awesome things. And we can't work effectively with and for you if we don't know where everyone stands. Every year ...
Announcing Spring AI MCP: A Java SDK for the Model Context Protocol
We're excited to introduce Spring AI MCP, a robust Java SDK implementation of the Model Context Protocol MCP. This new addition to the Spring AI ecosystem brings standardized AI model integration capabilities to the Java platform. What is MCP? The Model Context Protocol MCP is an open protocol th...
Kotlin DSLs in the world of Springdom
Kotlin is a beautiful language that makes it trivial to take old Java libraries and make them much more concise, just by virtue of the Kotlin syntax itself. It shines, however, when you write DSLs. Here's some inside baseball for you: the Spring teams do their level-headed best to be cohesive, to...
Spring Security 5.8.0-M1 and 6.0.0-M6 are released
On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Security 5.8.0-M1 and 6.0.0-M6 are available now. This release includes dependency upgrades, bug fixes, and enhancements. Here are a few noteworthy changes: Deferred SecurityContext lookup...