This Week in Spring - April 19th, 2022

Engineering | Josh Long | April 19, 2022 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's been quite the week since we last talked! I flew to Atlanta, GA, for my first in-person show since the pandemic - Devnexus 2022. I loved the experience! Hopefully, the only souvenirs I'll have are the amazing memories and not COVID. I loved to see so many smiling faces. Thanks so much for having me, Devnexus, and for running an amazing show. It was a privilege to return.

And now, without further ado, let's dive right into the roundup.

Spring Framework Data Binding Rules Vulnerability (CVE-2022-22968)

Engineering | Sam Brannen | April 13, 2022 | ...

Table of Contents


While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.

We have released Spring Framework 5.3.19 and 5.2.21 which contain the fix. Spring Boot 2.6.7 and 2.…

This Week in Spring - April 12th, 2022 (Devnexus 2022 Edition!!)

Engineering | Josh Long | April 12, 2022 | ...

This Week in Spring - Devnexus Edition

Hi, Spring fans! Welcome to another installment of This Week in Spring - I'm at my first in-person event since the virus: Devnexus! WOOHOOO!! Well, technically I'm still in San Francisco as I write this, but I'll be in Atlanta, GA tomorrow for... Devnexus! I hope if you're there that you'll reach out!

Friends, colleagues, and community members from the Spring, Tanzu, and adjoining communities will also be there! Here are some of the people I hope to nab a selfie with and whose talks I hope to see!

This Week in Spring - April 5th, 2022

Engineering | Josh Long | April 05, 2022 | ...

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm back home from the Hawaiin islands. It's so good to be home.

First thing's first: there's a security vulnerability. We've already released guidance on how to mitigate as well as new releases of Spring Framework and Spring Boot that include the mitigation by deault. See the links below for more.

Now, back to your regularly scheduled installment of This Week in Spring:

Spring Framework RCE, Mitigation Alternative

Engineering | Rossen Stoyanchev | April 01, 2022 | ...

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection.

Upgrading to Spring Framework 5.3.18+ or 5.2.20+ continues to be our main recommendation not only because it addresses the root cause…

Get the Spring newsletter

Thank you!

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all