• notice
  • Congratulations on the launch of the Sought Tech site

Spring Cloud Gateway has a high-risk vulnerability, and it is recommended to take measures。

On March 1, the Spring official blog published a CVE report on Spring Cloud Gateway.

It contains a high-risk vulnerability and a medium-risk vulnerability. It is recommended that users who use Spring Cloud Gateway upgrade to version 3.1.1+, 3.0.7+ in time, or use other mitigation methods to strengthen security protection.

Those involved can take a look at the content and mitigation methods of these two vulnerabilities below.

CVE-2022-22947: Code Injection Vulnerability

Severity : Critical

Vulnerability description : Applications using Spring Cloud Gateway are vulnerable to code injection when the Actuator endpoint is enabled, exposed, and unsecured. An attacker can maliciously create requests that allow arbitrary remote execution on a remote host.

Scope of influence :

The following versions of Spring Cloud Gateway are affected:

  • 3.1.0

  • 3.0.0 to 3.0.6

  • other old versions

Mitigation method :

Users of affected versions can remediate by the following actions.

  • 3.1.x users should upgrade to 3.1.1+

  • 3.0.x users should upgrade to 3.0.7+

  • If the Actuator endpoint is not required, it can be management.endpoint.gateway.enable:falsedisabled via configuration

  • If an Actuator endpoint is required, it should be secured with Spring Security

CVE-2022-22946: HTTP2 Insecure TrustManager

Severity : Medium

Vulnerability description : When HTTP2 is enabled, and no keystore or trusted certificates are set up, an application will be configured to use an insecure TrustManager. This enables gateways to connect to remote services with invalid or custom certificates.

Scope of influence :

The following versions of Spring Cloud Gateway are affected:

  • 3.1.0

Mitigation method :

  • 3.1.x users upgrade to 3.1.1+

This article was first published: Spring Cloud Gateway has high-risk vulnerabilities, and it is recommended to take measures to strengthen protection . Welcome to my blog to share the most cutting-edge technical information.


Tags

Technical otaku

Sought technology together

Related Topic

0 Comments

Leave a Reply

+