This Week in Spring - Devnexus Edition

Hi, Spring fans! Welcome to another installment of This Week in Spring - I'm at my first in-person event since the virus: Devnexus! WOOHOOO!! Well, technically I'm still in San Francisco as I write this, but I'll be in Atlanta, GA tomorrow for... Devnexus! I hope if you're there that you'll reach out!

Friends, colleagues, and community members from the Spring, Tanzu, and adjoining communities will also be there! Here are some of the people I hope to nab a selfie with and whose talks I hope to see!

• Glenn Renfro
• Adib Saikali
• Joe Grandja
• Whitney Lee
• Hillmer Chona
• Jonatan Ivanov
• Josh Cummings
• Alberto C. Rios
• Simon Brown
…

Hi, Spring fans! In this installment of a Bootiful Podcast, Josh Long (@starbuxman) talks to the GraphQL Java project founder and lead, Atlassian engineer, and Spring GraphQL cofounder Andi Marek (@andimarek).

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm back home from the Hawaiin islands. It's so good to be home.

First thing's first: there's a security vulnerability. We've already released guidance on how to mitigate as well as new releases of Spring Framework and Spring Boot that include the mitigation by deault. See the links below for more.

• Spring Framework RCE, Early Announcement
• Spring Framework RCE, Mitigation Alternative
• CVE report published for Spring Cloud Function

Now, back to your regularly scheduled installment of This Week in Spring:

• A Bootiful Podcast: Kubernetes cofounder and vice president of R&D at VMware, Craig McLuckie
• Blog: Is Your Cluster Ready for v1.24?
…

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection.

Upgrading to Spring Framework 5.3.18+ or 5.2.20+ continues to be our main recommendation not only because it addresses the root cause…

Hi, Spring fans! Welcome to another installment of a Bootiful Podcast! In this episode, Josh Long (@starbuxman) talks to Kubernetes cofounder, all-around nice person, and vice president of R&D at VMware, Craig McLuckie (@cmcluck).

Updates

• [04-13] "Data Binding Rules Vulnerability CVE-2022-22968" follow-up blog post published, related to the "disallowedFields" from the Suggested Workarounds
• [04-08] Snyk announces an additional attack vector for Glassfish and Payara. See also related Payara, upcoming release announcement
• [04-04] Updated Am I Impacted with improved description for deployment requirements
• [04-01] Updated Am I Impacted with additional notes
• [04-01] Updated Suggested Workarounds section for Apache Tomcat upgrades and Java 8 downgrades
• [04-01] "Mitigation Alternative" follow-up blog post published, announcing Apache Tomcat releases versions 10.0.20, 9.0.62, and 8.5.78…

Hi, Spring fans! In this installment we dare to be boring with YugabyteDB, a distributed database that just works. It's a database that feels like PostgreSQL but scales like Apache Cassandra.

NOTE: Hi, Spring fans! This is a guest post from Sean Li, our friend at Microsoft

I am pleased to announce that Spring Cloud Azure 4.0 is now generally available. With this major release we aim to bring better security, leaner dependencies, support for production readiness and more. Version 4 represents a significant milestone in our product roadmap that we couldn’t have delivered without the collective wisdom of the Spring community and customer feedback. On behalf of the Spring on Azure product team, thank you for making this happen!

Unified Development Experience

At the Developer Division…

We have released Spring Cloud Function 3.1.7 & 3.2.3 to address the following CVE report.

• CVE-2022-22963: Remote code execution in Spring Cloud Function by malicious Spring Expression

Please review the information in the CVE report and upgrade immediately.