Hi, I'm DD
On March 1, the Spring official blog published a CVE report on Spring Cloud Gateway.
It contains a high-risk vulnerability and a medium-risk vulnerability. It is recommended that users who use Spring Cloud Gateway upgrade to version 3.1.1+, 3.0.7+ in time, or use other mitigation methods to strengthen security protection.
Those involved can take a look at the content and mitigation methods of these two vulnerabilities below.
CVE-2022-22947: Code Injection Vulnerability
Severity : Critical
Vulnerability Description : Applications using Spring Cloud Gateway are vulnerable to code injection with Actuator endpoints enabled, exposed, and insecure. An attacker can maliciously create requests that allow arbitrary remote execution on a remote host.
Scope :
The following versions of Spring Cloud Gateway are affected:
- 3.1.0
- 3.0.0 to 3.0.6
- other old versions
Mitigation Method :
Users of affected versions can remediate by the following actions.
- 3.1.x users should upgrade to 3.1.1+
- 3.0.x users should upgrade to 3.0.7+
- If the Actuator endpoint is not required, it can be disabled via
management.endpoint.gateway.enable:falseconfiguration - If an Actuator endpoint is required, it should be secured with Spring Security
CVE-2022-22946:HTTP2 Insecure TrustManager
Severity : Medium
Vulnerability Description : When HTTP2 is enabled, and no keystore or trusted certificates are set up, applications will be configured to use the insecure TrustManager. This enables gateways to connect to remote services with invalid or custom certificates.
Scope :
The following versions of Spring Cloud Gateway are affected:
- 3.1.0
Mitigation method :
- 3.1.x users upgrade to 3.1.1+
This article was first published: Spring Cloud Gateway has a high-risk vulnerability, and it is recommended to take measures to strengthen protection , welcome to pay attention to my blog and share the most cutting-edge technical information.
Welcome to my public account: Programmer DD. Learn about cutting-edge industry news for the first time, share in-depth technical dry goods, and obtain high-quality learning resources
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。