I posted a tweet about the big bug in Spring in the early hours of yesterday. During the day, many friends asked how the article was deleted.

I deleted it mainly because I received a reminder from my friend that it might violate the rules (for reference: Aliyun was punished by the Ministry of Industry and Information Technology for failing to report Log4j2 nuclear bomb level vulnerability).

Over the course of a day, it seemed that the matter became a little confusing. So let’s talk about this webcast Spring bug.

The topic of vulnerability started on the evening of March 29th, DD saw some security leaders in the group sharing a super big bug in the Java ecosystem.

But neither of the two executives revealed more details about the breach. Only users asked: “Is it as big as Log4j?” . Yunshu replied: “Bigger”.

After that, security guru Sunwear gave some more detailed information:

So the vulnerability can be narrowed down to projects using Java 9+ and Spring.

Log4j vulnerability: log4j vulnerability: log4j vulnerability

At this point, some guys are actually relieved that most of the country is still using Java 8. DD knows this very well, because every time I release the new version of Java, I always get feedback from my friends that I will not upgrade, you can send the version, I use Java 8.

Couldn’t sleep anyway, so DD thought he’d keep searching. DD then discovered that Spring had a recent commit:

According to the submitted information, it was a solution to an RCE vulnerability. So, probably this is it? Interested partners, you can view specific information through the link below.

Github.com/spring-proj…

After seeing some professional network security channels released a repair method. But before long, many of the content was harmonized, it is not clear why.

Then is the day on March 30, and then all kinds of marketing began to hype this problem, there are two kinds of more bullshit: one is zhang Guondai, take some loopholes in the past is the big loophole, because the title is enough to bluff, so many people pay attention to, and then also in the group discussion. For example, some of the alleged Spring Cloud Gateway vulnerabilities were actually announced on March 1. Some say it’s the most recent, but if you look closely, you’ll notice it doesn’t seem to match, and the level of vulnerability is not high.

Another category is phishing, because the alleged vulnerability is very large, so put some informal fix package, is actually malicious code, to lure people to use.

So here DD reminds you that when it comes to security issues, you must read the official information, not just a random article. Including the content shared by DD side, we will also release the official information link for everyone to verify and deal with.

Back to the bug information posted online, in fact, since the evening of 29th, everyone has been paying attention to the official information of Spring. Instead, the day was waiting for this blog post:

Cve-2022-22963 is not the same level of vulnerability as log4j.

So, go back to the PR of RCE mentioned earlier. You can see some updates here:

When will report CVE?

@ledoyen replies: This is not a CVE per se. Using this tool to process user input data can cause CVE, but not when used internally like the CacheResultInterceptor.

@sbrannen concludes that this is not CVE in the Spring core framework. The purpose of this change is to inform people who previously used SerializationUtils that it is dangerous to deserialize objects from untrusted sources. The Spring core framework does not use SerializationUtils to deserialize objects from untrusted sources. If you think you have found a security issue, please report it via a dedicated page: spring. IO /security-po…

So, this PR that looks like a solution to the big bug in webcasting is not the same thing? Go back to look at the leak yunshu big man’s weibo, the previous hair has not existed. So where did this so-called big hole go? DD will not be able to guess, nor will he, after all, security vulnerabilities are serious business.

conclusion

Finally, because of this vulnerability, some friends in the group (click add group) have been asking about it. Therefore, according to the current knowledge of DD, I would like to summarize some points for attention:

  1. The bugs reported by Spring are not as serious and can be fixed according to the updated version reported.
  2. The bugs reported by Spring officials may not be related to the webcast bug
  3. There are some existing marketing number articles in the risk of downloading, we should pay attention to
  4. Stay tuned and DD will continue to sync and parse if there is further information

If you are learning about Spring family barrel or paying attention to the cutting-edge information related to Spring, please follow my public account program DD, or my personal blog to share all the dry content about Spring for a long time.

Welcome to pay attention to my public number: program ape DD. Learn cutting-edge industry news, share in-depth technical know-how, and obtain high-quality learning resources at the first time