Yesterday Spring released Spring Cloud Function 3.1.7 and 3.2.3 to address the CVE-2022-22963: Spring expression resource access vulnerability.

In Spring Cloud Function versions 3.1.6, 3.2.2, and older unsupported versions, users can access local resources with the help of a special SpEL when using routing. The vulnerability level is Medium, which is still not at the high risk level of network transmission RCE.

Spring Cloud Function is a functional programming component provided by Spring Cloud for Serverless that abstracts all transport details and infrastructure, allowing developers to bring Spring’s programming style to Serverless development and focus on business logic implementation.

As of March 2022, Spring has fixed the following vulnerabilities:

Spring March 2022 CVE Repair list, from Tanzu

Tanzu, a product of Spring’s parent company Vmware, is designed to help developers build new applications, modernize existing ones, and improve software development processes around cloud-native technologies, models, and architectures. It has a lot of knowledge related to cloud native, including Docker, K8S and so on, the content is very dry, many of them are free, and are shared by some industry leaders, if you are interested, you can go and have a look.

In addition, according to Spring core developer Sam Brannen in a Spring Framework commit involving Java deserialization yesterday:

Statement from Sam, the core developer of the Spring team

Meaning:

“This commit does not address any existing vulnerabilities and is unrelated to Spring Core RCE. Stop spamming this submission.”

That is true.

The purpose of this submission is to inform developers using SerializationUtils#deserialize of the dangers of deserializing objects from untrusted sources.

The core of the Spring Framework does not use SerializationUtils to deserialize objects from untrusted sources.

If you think you have found a security problem, report it responsibly on a dedicated page: spring. IO /security-po…

And please do not post any further comments in this submission.

thank you

The address of this declaration is:

Github.com/spring-proj…

As for some other anecdotal, fat brother is not clear, if there is a new authority issued, fat brother will be the first time to follow up.

In addition to remind the majority of Internet users to screen when browsing Internet information, some of the sources of unofficial, non-authoritative organizations to be cautious.