924 matches found
Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968)
Table of Contents Overview Does This Affect My Application? Reassessing Your Data Binding Approach Overview While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not...
CVE-2022-22978: Authorization Bypass in RegexRequestMatcher
UPDATES 05-17 Due to a mixup CVE-2022-22975 should have been CVE-2022-22978. The blog has been updated to reflect this correction. CVE-2022-22978 : Authorization Bypass in RegexRequestMatcher Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22978 : Authorization Bypass in...
CVE-2022-31690: Privilege Escalation in spring-security-oauth2-client
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31690 affecting the mapping of authorized scopes in spring-security-oauth2-client. Users are encouraged to update as soon as possible. Impact Users who have applied the mitigation should take note of the...
CVE-2023-34053, CVE-2023-34055: Spring Framework and Spring Boot vulnerabilities
Updates 11-27 Blog posts updated to refer to the CVE reports published The Spring Framework 6.0.14 release shipped on November 16th includes a fix for CVE-2023-34053. The Spring Boot 2.7.18 release shipped on November 23th includes fixes for CVE-2023-34055. Users are encouraged to update as soon ...
Spring Framework RCE, Early Announcement
Updates 04-13 "Data Binding Rules Vulnerability CVE-2022-22968" follow-up blog post published, related to the "disallowedFields" from the Suggested Workarounds 04-08 Snyk announces an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release announcement 04-04...
Spring Cloud Function for Azure Function
What is the Spring Cloud Function? Spring Cloud Function is a SpringBoot-based framework allowing users to concentrate on their business logic by implementing them as Java Functions i.e., Supplier, Function, Consumer. In turn the framework provides necessary abstraction to enable execution of the...
CVE-2022-31692: Authorization rules can be bypassed via forward or include in Spring Security
Spring Security 5.6.9 and 5.7.5 released on October 31st, 2022 included a fix for CVE-2022-31692 affecting the AuthorizationFilter. Users are encouraged to update as soon as possible...
Creating a custom Spring Cloud Gateway Filter
In this article, we look into writing a custom extension for Spring Cloud Gateway. Before we get started, let’s go over how Spring Cloud Gateway works: 1. First, a client makes a network request to the Gateway 2. The Gateway is defined with a number of routes, each with Predicates to match the...
CVE report published for Spring Framework
We have released Spring Framework 5.3.17 and Spring Framework 5.2.20 to address the following CVE report. CVE-2022-22950: Spring Expression DoS Vulnerability Please review the information in the CVE report and upgrade immediately. Spring Boot users should upgrade to 2.5.11 or 2.6.5...
Spring Data MongoDB SpEL Expression Injection Vulnerability (CVE-2022-22980)
Updates 06-20 CVE-2022-22980 is published 06-20 Spring Data MongoDB 3.4.1 and 3.3.5 are available Table of Contents Overview Vulnerability Am I Impacted Status Suggested Workarounds Overview We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the followi...
Spring Framework RCE, Mitigation Alternative
Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcats side. While the vulnerability is not in...
CVE report published for Spring Cloud Function
We have released Spring Cloud Function 3.1.7 & 3.2.3 to address the following CVE report. CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression Please review the information in the CVE report and upgrade immediately...
CVE-2022-31684: Reactor Netty HTTP Server may log request headers
The Reactor Netty 1.0.24 release on October 11 included fix for CVE-2022-31684 affecting Reactor Netty HTTP Server. Users are encouraged to update as soon as possible. Reactor Netty is used internally in many frameworks including Spring WebFlux and its WebClient. If you have a Spring Boot...
Spring Tips: Spring Security method security with special guest Rob Winch
Hi, Spring fans! In this installment I have special guest Spring Security lead Rob Winch give us a master class in how the method security support works and some of its new features. Come for the security, stay for the incredible opportunity to look over a senior engineer's shoulders as he explai...
Interesting new filters on Spring Cloud Gateway 4.0
Spring Cloud Gateway 4.0 is finally here! Thanks to our community contributions we have introduced new features and interesting filters. This blog post details new noteworthy and explains some of the new filters included, how they work and how you can use it to provide more insights into your...
Observability with Spring Boot 3
The Spring Observability Team has been working on adding observability support for Spring Applications for quite some time, and we are pleased to inform you that this feature will be generally available with Spring Framework 6 and Spring Boot 3! What is observability? In our understanding, it is...
This Week in Spring - April 19th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! Its been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs Ill have are the amazing memories and...
This Week in Spring - May 23rd, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 23rd and, famously, nothing major has happened in the last week OH WAIT WE RELEASED SPRING BOOT 3.1! Have you checked it out yet? It's dope. I did a Spring Tips installment looking at some of its features here that y...
This Week in Spring - March 21st, 2023
Hi, Spring fans! Welcome to another rip roaring installment of This Week in Spring! It's March 21st and today they announced Java 20! It's an exciting time to be a Java developer. Java 20, of course, is just another amazing installment before Java 21, which comes out in six short months, includin...
Context Propagation with Project Reactor 2 - The bumpy road of Spring Cloud Sleuth
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative Spring Cloud Sleuth recently became Micrometer Tracing, part of the Micrometer project. Most of the tracing instrumentation is centered within Micrometer und...
CVE-2022-22976: BCrypt skips salt rounds for work factor of 31
Spring Security 5.7.0, 5.6.4, 5.5.7 were released to fix CVE-2022-22976: BCrypt skips salt rounds for work factor of 31. Please update as soon as possible...
Securing Spring Boot Applications With SSL
Secure Sockets Layer SSL and Transport Layer Security TLS are key components of securing communications between systems in a layered or service-oriented architecture. Spring Boot applications in such an architecture often accept incoming network connections or create outgoing connections, and...
This Week in Spring - October 25th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! When last we spoke, I was in Las Vegas, NV, for the JavaOne show. It was amazing! Im in sunny Singapore, then off to Malaysia and Thailand. Its the first time Ive been to any of these places since 2019! How good it is to be...
This Week in Spring - November 1st, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! Howre you doin? I hope youre doing well and had a great Halloween if you celebrate. Im doing great. Im in sunny Kuala Lumpur, Malaysia, eating delicious food and hanging out with amazing people. Tomorrow, Im off to Penang,...
Spring Data REST Vulnerability (CVE-2022-31679)
Updates - 09-19 Vulnerability announced here and Spring Data REST 3.6.7 and 3.7.3 released - 09-19 Blog post updated to refer to the CVE report published The Spring Data 2021.1.7 and 2021.2.3 releases shipped on September 19th contained releases for Spring Data REST 3.6.7 and 3.7.3 which include...
Context Propagation with Project Reactor 3 - Unified Bridging between Reactive and Imperative
This post is a part of a series: 1. The Basics 2. The bumpy road of Spring Cloud Sleuth 3. Unified Bridging between Reactive and Imperative We concluded the last article with the thought that Spring Cloud Sleuth’s MANUAL context propagation strategy is both performant and provides correct...
Active Health Check strategies with Spring Cloud Gateway
Active health check strategies with Spring Cloud Gateway Nowadays, applications are built as a collection of small independent upstream services. This accelerates development and allows modules to be focused on specific responsibilities, increasing their quality. This is one of the main advantage...
Spring Data JDBC - How To Maintain Your Database Schema
This is the fifth article of a series about how to tackle various challenges you might encounter when using Spring Data JDBC. The series consists of: 1. Spring Data JDBC - How to use custom ID generation? 2. Spring Data JDBC - How do I make bidirectional relationships?. 3. Spring Data JDBC - How ...
This Week in Spring - June 21st, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? Its been a hot minute since we last chatted. I was in Germany this time last week. Now, Im back in beautiful San Francisco. Today the weather will climb to a monumental 84 F! Thats very unusual, for any time of t...
Spring WS Samples upgraded for Spring Boot 3.0!
With the recent announcement of Spring Boot 3.0 going GA, some of you may be interested in upgrading your Spring Web Services-based applications to take full advantage of this. The Spring WS team has upgraded our set of sample apps to help you carry that out. The main branch now tracks the versio...
This Week in Spring - June 23rd, 2026
Hi Spring fans! In this installment, we look at the wide and wonderful world of Spring, as usual, and there's a good amount to get to, fresh off the recent Spring Boot 4.1 generation release train, so let's dive right into it! I wrote a blog post looking at Spring Batch, MongoDB, and Spring Boot...
CVE report published for Spring Security OAuth
We have released Spring Security OAuth 2.5.2 to address the following CVE report. CVE-2022-22969: Denial-of-Service DoS in spring-security-oauth2 This vulnerability exposes OAuth 2.0 Client applications only. Please review the information in the CVE report and upgrade immediately...
CVE-2024-22233: Spring Framework server Web DoS Vulnerability
The Spring Framework 6.0.16 and 6.1.3 releases shipped on January 11th includes a fix for CVE-2024-22233. The Spring Boot 3.1.8 and 3.2.2 releases shipped last week upgrade to the relevant Spring Framework versions. Users are encouraged to update as soon as possible...
Spring Authorization Server is on Spring Initializr!
Today, I'm excited to announce that you have a new superpower: creating applications with Spring Authorization Server on Spring Initializr! That's right, it's time to begin your OAuth2 journey and become the hero you always knew you could be! In this post, I'll explain how you can get the most fr...
Spring Security OAuth reaches End-of-Life
The Spring Security OAuth and Spring Security OAuth Boot 2 auto-configuration projects have reached end of life. The Spring Security OAuth project has been replaced by the Client and Resource Server support provided by Spring Security and the Authorization Server support provided by Spring...
This Week in Spring - January 9th, 2024
Hi, Spring fans! Welcome to another installment of This Week in Spring! It's the second week of 2024, and I am already thinking about 2025! And, a bit more immediatelt than that: the next two weeks. I'll be at both VOXXED DAYS Ticino and VOXXED DAYS CERN, both in Switzerland. If you're about, com...
Simplified Event Externalization with Spring Modulith
Transactional service methods are a common pattern in Spring applications. These methods trigger a state transition important to the business. This usually involves a core domain abstraction, such as an aggregate and its corresponding repository. A stereotypical example of such an arrangement mig...
Native Support in Spring Boot 3.0.0-M5
The Spring Team has been working on native image support for Spring Applications for quite some time. After 3+ years of incubation in the Spring Native experimental project with Spring Boot 2, native support is moving to General Availability with Spring Framework 6 and Spring Boot 3! Native image...
This Week in Spring - April 25th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! How are you? I'm en route to Bangalore, India, via Frankfurt, for the Developer Summit 2023 edition. It's going to be a ton of fun, and I hope you won't miss it! para Spring Boot 3.1.0-RC1 available now One of the most exciti...
CVE Report Published for Spring Tools
We have released STS 4.16.1 for Eclipse and Spring VSCode extensions 1.40.0 to address the following CVE report: - CVE-2022-31691: Remote Code Execution via YAML editors in STS4 extensions for Eclipse and VSCode Please review the information in the CVE report and upgrade immediately. Eclipse: STS...
Azure Spring Apps Enterprise is now generally available
Hi, Spring fans! This is a guest post by Julia Liuson, President, Developer Division, Microsoft Azure Spring Cloud is now Azure Spring Apps We launched Azure Spring Cloud with VMware in 2019 to solve common challenges developers, IT operators, and DevOps teams face when running Spring Boot...
This Week in Spring - November 19th, 2024
Hi, Spring fans! How are you? Can you believe we're already staring at the end of the month? It's that time of the year when we see new releases, and the new releases reflect that frenzy! Soon: Spring Boot 3.4.0! Are you updated? Make sure you're updated! Remember: Spring projects leave open sour...
This Week in Spring - August 16th, 2022
Hi, Spring fans! Welcome to another wonder-filled installment of This Week in Spring! Its been a week! Sometimes I can scarcely believe it myself. And can you believe its August 16th already?? My daughters starting school this week! Were in the northern hemisphere, and Summer break is already ove...
Spring Tips: Learn Spring for GraphQL (parts 5 and 6 of an ongoing series)
Hi, Spring fans! In thi^^^ these installments, we continue our series introducing the Spring for GraphQL project. This series features Spring for GraphQL lead Rossen Stoyanchev @rstoya05 - whose work you may know from basically everything in the wide and wonderful world of Springdom having to do...
Using Spring for GraphQL with Spring Data Neo4j
Introduction This is a guest blog post by Gerrit Meier from Neo4j who maintains the Spring Data Neo4j module. A few weeks ago version 1.2.0 of Spring for GraphQL was released with a bunch of new features. This also includes even better integration with Spring Data modules. Motivated by those...
MCP Authorization in practice with Spring AI and OAuth2
Last month, we explored how to secure Spring AI MCP Servers1 with the OAuth2 authorization framework. In the conclusion of that article, we mentioned we'd explore using standalone Authorization Servers for MCP Security and deviate from the then-current specification. Since we published the articl...
Announcing Spring AI MCP: A Java SDK for the Model Context Protocol
We're excited to introduce Spring AI MCP, a robust Java SDK implementation of the Model Context Protocol MCP. This new addition to the Spring AI ecosystem brings standardized AI model integration capabilities to the Java platform. What is MCP? The Model Context Protocol MCP is an open protocol th...
This Week in Spring - July 25th, 2023
Hi, Spring fans! Welcome to another installment of This Week in Spring! Look, I'm going to level with you. This is the view from where I'm staying on holiday right now in tropical Lankawi, Malaysia: I'm super interested in this week's roundup, as always, but I'm also very interested in that...
Kotlin DSLs in the world of Springdom
Kotlin is a beautiful language that makes it trivial to take old Java libraries and make them much more concise, just by virtue of the Kotlin syntax itself. It shines, however, when you write DSLs. Here's some inside baseball for you: the Spring teams do their level-headed best to be cohesive, to...
This Week in Spring - September 20th, 2022
Hi, Spring fans! Welcome to another installment of This Week in Spring wherein I endeavor as best as I can to capture the latest-and-greatest in the wide, wacky, and wonderful world of Springdom! Naturally, I fail miserably basically every week. Theres no way I could hope to capture everything of...