Hi, I’m DD

On March 1, the Official Spring blog published a CVE report on the Spring Cloud Gateway.

It contains a high risk vulnerability and a medium risk vulnerability. Users using Spring Cloud Gateway are advised to upgrade to 3.1.1+, 3.0.7+ or adopt other mitigation measures to enhance security protection.

Partners involved can look at the following specific contents of these two vulnerabilities and mitigation methods.

Cve-2022-22947: Code injection vulnerability

Severity: Critical

Vulnerability Description: Applications using Spring Cloud Gateway are vulnerable to code injection in Actuator endpoints that are enabled, open, and insecure. An attacker can maliciously create a request that allows arbitrary remote execution on a remote host.

Scope of influence:

The following versions of Spring Cloud Gateway are affected:

  • 3.1.0
  • 3.0.0 to 3.0.6
  • Other older versions

Mitigation methods:

Users of affected versions can remedy the situation by taking the following steps.

  • 3.1.x users should upgrade to 3.1.1+
  • 3.0.x users should upgrade to 3.0.7+
  • If the Actuator endpoints do not need to be used, they can be usedManagement. The endpoint. Gateway. The enable: falseConfigure to disable it
  • If the endpoints of the Actuator are required, use Spring Security to protect them

Cve-2022-22946: HTTP2 Insecure TrustManager

Severity: Medium

Vulnerability Description: When HTTP2 is enabled, applications that do not have key stores or trusted certificates set will be configured to use the insecure TrustManager. This enables the gateway to connect to remote services using invalid or custom certificates.

Scope of influence:

The following versions of Spring Cloud Gateway are affected:

  • 3.1.0

Mitigation methods:

  • 3.1.x user upgraded to 3.1.1+

Spring Cloud Gateway has a high risk vulnerability. It is recommended to take measures to strengthen protection. Welcome to follow my blog and share the most cutting-edge technical information.

Welcome to pay attention to my public number: program ape DD. Learn cutting-edge industry news, share in-depth technical know-how, and obtain high-quality learning resources at the first time