On March 1, 2022, Spring released two CVE vulnerabilities for Spring Cloud Gateway: Cve-2022-22946 (severity: Medium) and CVE-2022-22947 (code injection vulnerability, severity: Critical).
IO /blog/ 2020/0…
• CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability • CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager
You are advised to upgrade the device: Spring Cloud users should upgrade to 2021.0.1 (which includes 3.1.1) or for 2020.0.x users should upgrade Spring Cloud Gateway to 3.0.7.
Systematic security guarantee
In the era of cloud native dominated by container technology and K8s, cloud native gateway breaks the two-layer architecture of traditional traffic gateway and micro-service gateway, and combines them into one. In addition, it also improves the systematic security guarantee.
Microservice engine MSE – Cloud native gateway, with built-in WAF (Web application firewall) and self-built security capabilities, supports HTTPS certificates, IP blacklist, authentication and authorization (including JWT, OIDC, and IDaaS), and abnormal traffic cleaning.
Stronger performance
Pressure test results:
• TPS of Cloud Native Gateway is roughly twice that of Spring Cloud Gateway and 5 times that of Zuul. • Cloud native gateway TPS is about 90% higher than Nginx Ingress.
TLS hardware acceleration
As the network environment becomes more and more complex, the transmission security risks brought by the traditional HTTP plaintext transmission protocol are also increasing. Therefore, the HTTPS ciphertext transmission protocol has been widely recognized and applied in the industry.
Everything has two sides. While HTTPS provides higher transmission security, it also requires authentication and data encryption and decryption, making web site access slower and server CPU consumption higher than HTTP, making the machine more expensive.
In 2021, Ali Cloud released ECS products equipped with the latest Xeon processor Ice Lake, which greatly increased the computing power by more than 50% by utilizing the hardware characteristics of CPU.
The Crypto Acceleration feature, including Vector AES, accelerates AES, RSA and EC cryptography calculations through multi-buffer lib. By using this feature, HTTPS hardware acceleration can get rid of the limitation of dedicated hardware acceleration card, and the performance of HTTPS can be greatly improved by using the built-in CPU instructions and SIMD mechanism.
Based on this, cloud native gateway takes the lead to complete its adaptation, bringing the performance advantages of hardware acceleration to users, and greatly improving HTTPS performance without increasing user resource costs.
It can be seen from the compression data that the TLS hardware acceleration reduces the TLS handshake delay by twice and the limit QPS increases by more than 80% compared with the normal HTTPS request.
For details on how to quickly migrate from Spring Cloud Gateway to Cloud native Gateway, see help.aliyun.com/document_de…
Release the latest information of cloud native technology, collect the most complete content of cloud native technology, hold cloud native activities and live broadcast regularly, and release ali products and user best practices. Explore the cloud native technology with you and share the cloud native content you need.
Pay attention to [Alibaba Cloud native] public account, get more cloud native real-time information!