Spring Framework RCE, Early Announcement


  • [15:40 BST] Spring Boot 2.6.6 is available.
  • [14:38 BST] Spring Boot 2.5.12 is available.
  • [14:00 BST] CVE-2022-22965 is published.
  • [13:03 BST] Added section “Misconceptions”.
  • [12:34 BST] Added section “Am I Impacted”.
  • [12:11 BST] Fix minor issue in the workaround for adding disallowedFields.
  • [11:59 BST] Spring Framework versions 5.3.18 and 5.2.20, which address the vulnerability, are now available. The release process for Spring Boot is in progress.


Read more

Spring Cloud Azure 4.0 is Now Generally Available

NOTE: Hi, Spring fans! This is a guest post from Sean Li, our friend at Microsoft

I am pleased to announce that Spring Cloud Azure 4.0 is now generally available. With this major release we aim to bring better security, leaner dependencies, support for production readiness and more. Version 4 represents a significant milestone in our product roadmap that we couldn’t have delivered without the collective wisdom of the Spring community and customer feedback. On behalf of the Spring on Azure product team, thank you for making this happen!

Read more

This Week in Spring - March 29th, 2022

Aloha, Spring fans, from beautiful Maui, Hawaii, where I am with my family on a bit of vacation. It’s our daughter’s Spring break and so we’re enjoying the family time while we can get it! I wanted to take a brief interlude in between the never-enough time on the beach and all the rum to get this week’s installment out for y’all, so let’s dive right into it!

Read more

An update on Java 17+ adoption

As a follow-up to my blog post from last year’s SpringOne, it is time for an update on our Java 17+ baseline efforts!

We established the new baseline on our main branches, with a few milestones out already. The feedback has been very positive, not only in terms of framework improvements but also in terms of the motivation for a Java upgrade at the application level. Of course, it does not end with JDK 17 LTS: JDK 18 is an immediate option already, JDK 19 will be the current release when we go final later this year, with JDK 20 to be in early access by then - and JDK 21 LTS on the horizon already…

Read more

A Bootiful Podcast: Event streaming guru Jan Svoboda on Apache Kafka Design Patterns

Hi, Spring fans! In this installment Josh Long (@starbuxman) talks to event streaming guru at Confluent, the company behind Apache Kafka, Jan Svoboda about Apache Kafka design patterns.

Read more

Building Native Images with GraalVM and Spring Native on Apple's M1 Architecture

It finally happened! They did it! They did it just in time for me to get on the road and start building applications on the road with my shiny new laptop, too! JOY!! Oracle and the GraalVM team released GraalVM and the GraalVM native image capability for Apple M1! I’ve been waiting for this day for so, so, so long! I bought the first Apple M1 the day of the announcement way back in 2020 (does anybody remember that far back? That was, meteorologically speaking, the early pandemic period).

Apple’s M1 devices are insanely fast, energy-efficient beasts of machines that run circles around all but the beefiest and latest-and-greatest Intel/NVidia configurations while also consuming a pittance of the power that other configuration does. In short, I’m a big fan. But the move to this new architecture hasn’t been without its troubles.

Read more