In the early morning of yesterday, I posted a tweet about the big vulnerability in Spring. During the day, many friends asked how the article was deleted.
Mainly because I received a reminder from a friend that it might be illegal to post this (for reference: Alibaba Cloud was punished by the Ministry of Industry and Information Technology for discovering a Log4j2 nuclear bomb-level vulnerability but failing to report it in time ), so I deleted it.
After a day's time, it seems that this thing has become a little incomprehensible. So let's talk about this big Spring vulnerability that is transmitted on the Internet.
The starting point of this vulnerability topic came from the evening of March 29, when DD saw in the group ( click to add group ) that netizens shared that several security bosses broke the news that there was a super big loophole in the Java ecosystem.
However, neither of the two bosses disclosed more detailed information about the vulnerability. Only netizens asked: "Is it as big as log4j?". The reply from Yunshu boss is: "bigger".
After that, there was the security boss Sunwear (the former boss who took 5 million cash in anger because of the poor service attitude of Shanghai Bank staff. If you don't know the specific story, you can Baidu it, and DD won't go into details here. ) gives some more details:
Therefore, the scope of the vulnerability can be narrowed down to projects using Java 9+ and Spring .
At this time, some netizens began to make fun of the previous log4j vulnerability information:
In fact, here, many guys are actually relieved, because most places in China are still using Java 8. DD has a deep understanding of this, because every time a new version of Java is released, there is always feedback from small partners, and it will not be upgraded. You can send the version. I use Java 8.
I couldn't sleep anyway, so DD thought about continuing to search for relevant information. Then DD found that Spring official recently had such a submission:
From the submission information, it is to solve a certain RCE vulnerability problem. So, that's probably what it is, right? Interested partners can view specific information through the link below.
https://github.com/spring-projects/spring-framework/commit/7f7fb58dd0dae86d22268a4b59ac7c72a6c22529
After that, I saw some professional network security channels released a repair method. But it didn't take long for the content of many accounts to be harmonized, and it was unclear what the specific reason was.
After that, it was the daytime of March 30th, and then various marketing accounts began to hype this issue. There are two types of nonsense: one is Zhang Guanli Dai, who took some loopholes in the past and called it a big loophole this time , because the title is enough to bluff People, so many people followed and discussed it in the group. For example, some of them are said to be Spring Cloud Gateway, but they are all vulnerabilities that have been announced on March 1. There are also some that say they are the last two, but if you look closely, you will find that they don't seem to be able to match, and the vulnerability level is not high.
Another category is phishing. Because it claims to be very vulnerable, some unofficial repair packages are released, which are actually malicious code to lure everyone to use it.
So here DD reminds everyone that when you encounter a security problem, you must read the official information, instead of just searching for an article and starting it . Including the content shared by DD, the link to the official information will also be released for everyone to verify and deal with.
Going back to the vulnerability information on the Internet, in fact, since the evening of the 29th, everyone has been paying attention to the official information of Spring. However, what I waited for during the day was this blog post:
The CVE-2022-22963 pointed out here is very different from the vulnerability information transmitted on the Internet, and the level is not as good as the log4j vulnerability as claimed by the previous boss.
So, let's go back and trace the PR about RCE mentioned earlier. You can see some updates to the content here:
Some netizens asked: When will report CVE?
@ledoyen Re: This is not a CVE per se. Using this tool to process user input data may result in a CVE, but not when using it internally like a CacheResultInterceptor .
@sbrannen also concluded at the end: this is not a CVE in the Spring core framework. The purpose of this change is to inform people who were previously deserializing with SerializationUtils that deserializing objects from untrusted sources is dangerous. And Spring core framework does not use SerializationUtils to deserialize objects from untrusted sources. If you think you've found a security issue, please report it through the dedicated page: https://spring.io/security-policy .
So, this PR that seems to solve the big loophole in Internet transmission is not the same thing? I went back and looked at the Weibo of Yunshu, who broke the leak, and the one posted before no longer exists. So where did this so-called big loophole go? DD can't guess it, and I can't guess, after all, security vulnerabilities are a very serious matter.
Summarize
Finally, because of the problem of this loophole, there are always small partners in the group ( click to add group ), so, according to the current understanding of DD, I will summarize some points for you to pay attention to:
- The vulnerabilities officially reported by Spring are not that serious, and can be solved according to the upgraded version reported.
- The vulnerability officially reported by Spring may have nothing to do with the big vulnerability reported on the Internet
- There are risky downloads in some existing marketing articles, everyone should pay attention
- Stay tuned, if there is further news, DD will continue to synchronize and analyze it for you
If you are learning the Spring family bucket or pay attention to the cutting-edge information related to Spring, please pay attention to my official account, Programmer DD, or my personal blog , to share dry content about everything about Spring for a long time.
Welcome to my public account: Programmer DD. Learn about cutting-edge industry news for the first time, share in-depth technical dry goods, and obtain high-quality learning resources
java
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。