Hi, Spring fans! In this installment, Josh Long (@starbuxman) talk about his first in-person conference since the pandemic descended upon us -the fabulous Devnexus 2022 show - and talks to colleague, teacher, friend, and Kubernetes legend Tiffany Jernigan (@tiffanyfayj).

On behalf of the team and everyone who has contributed, I am pleased to announce that Spring Framework 5.3.19 and 5.2.21 are available now.

Spring Framework 5.3.19 includes 12 fixes and improvements. Spring Framework 5.2.21 includes 5 selected fixes and improvements.

In addition, Spring Framework 5.3.19 and 5.2.21 include a fix for CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability and are recommended upgrades for all Spring production scenarios.

Project Page | GitHub | Issues | Documentation

Table of Contents

• Overview
• Does This Affect My Application?
• Reassessing Your Data Binding Approach

Overview

While investigating the Spring Framework RCE vulnerability CVE-2022-22965 and the suggested workaround, we realized that the disallowedFields configuration setting on WebDataBinder is not intuitive and is not clearly documented. We have fixed that but also decided to be on the safe side and announce a follow-up CVE, in order to ensure application developers are alerted and have a chance to review their configuration.

• CVE-2022-22968: Spring Framework Data Binding Rules Vulnerability

We have released Spring Framework 5.3.19 and 5.2.21 which contain the fix. Spring Boot 2.6.7 and 2.…

This Week in Spring - Devnexus Edition

Hi, Spring fans! Welcome to another installment of This Week in Spring - I'm at my first in-person event since the virus: Devnexus! WOOHOOO!! Well, technically I'm still in San Francisco as I write this, but I'll be in Atlanta, GA tomorrow for... Devnexus! I hope if you're there that you'll reach out!

Friends, colleagues, and community members from the Spring, Tanzu, and adjoining communities will also be there! Here are some of the people I hope to nab a selfie with and whose talks I hope to see!

• Glenn Renfro
• Adib Saikali
• Joe Grandja
• Whitney Lee
• Hillmer Chona
• Jonatan Ivanov
• Josh Cummings
• Alberto C. Rios
• Simon Brown
…

Hi, Spring fans! In this installment of a Bootiful Podcast, Josh Long (@starbuxman) talks to the GraphQL Java project founder and lead, Atlassian engineer, and Spring GraphQL cofounder Andi Marek (@andimarek).

On behalf of the community, I am pleased to announce that the Milestone 2 (M2) of the Spring Cloud 2022.0.0 Release Train is available today. The release can be found in Spring Milestone repository. You can check out the 2022.0 release notes for more information.

Notable Changes in the 2022.0.0-M2 Release Train

See the project page for all the issues and pull requests included in this release.

Spring Cloud 2022.0.0-M2 is compatible with Spring Boot 3.0.0-M2.

Spring Cloud Stream

• Both Kafka and RabbitMQ binders for Spring Cloud Stream have been migrated as part of the core Spring Cloud Stream repository. With this change, Spring Cloud Stream now follows a mono-repo approach where all the framework-related codebase for Spring Cloud Stream is now part of a single repository. See more details here for the Kafka binder and here for the RabbitMQ binder. We recommend filing new feature requests and bug reports for Kafka and RabbitMQ binders in the core repository.
• Introduced initial support for a new reactive Kafka binder based on Reactor Kafka. This support contains consumer and producer bindings using Reactor Kafka behind the scenes. See this issue…

Hi, Spring fans! Welcome to another installment of This Week in Spring! I'm back home from the Hawaiin islands. It's so good to be home.

First thing's first: there's a security vulnerability. We've already released guidance on how to mitigate as well as new releases of Spring Framework and Spring Boot that include the mitigation by deault. See the links below for more.

• Spring Framework RCE, Early Announcement
• Spring Framework RCE, Mitigation Alternative
• CVE report published for Spring Cloud Function

Now, back to your regularly scheduled installment of This Week in Spring:

• A Bootiful Podcast: Kubernetes cofounder and vice president of R&D at VMware, Craig McLuckie
• Blog: Is Your Cluster Ready for v1.24?
…

On behalf of the team and everyone who has contributed, I’m happy to announce that Spring Cloud Dataflow 2.9.4 has been released and is now available from Maven Central.

This release contains an update of the Spring Boot version and addresses a couple of CVEs. See the release notes for more information.

Notable Changes in 2.9.4

• Update to Spring Boot 2.5.12
• Resolves CVE-2022-22965
• Resolves CVE-2021-29425

Stay in touch...

As always, we welcome feedback and contributions, so please reach out to us on Stackoverflow or GitHub.

Yesterday we announced a Spring Framework RCE vulnerability CVE-2022-22965, listing Apache Tomcat as one of several preconditions. The Apache Tomcat team has since released versions 10.0.20, 9.0.62, and 8.5.78 all of which close the attack vector on Tomcat's side. While the vulnerability is not in Tomcat itself, in real world situations, it is important to be able to choose among multiple upgrade paths that in turn provides flexibility and layered protection.

Upgrading to Spring Framework 5.3.18+ or 5.2.20+ continues to be our main recommendation not only because it addresses the root cause…