RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2

Spring Framework

Product
Date of the premiere of the system: 2002/10/01
Last Release Date: 2022/04/01
Technology: Application Development Tools

Content

The Spring Framework (or short Spring) is an open source framework for the Java platform and the.NET Framework (fork called Spring.NET).

MVC

Spring has its own MVC platform for web applications. Spring MVC provides the developer with the following capabilities (as of March 2022):

  • Clear and transparent separation between layers in MVC and queries.
  • Interface strategy - Each interface only does its part.
  • The interface can always be replaced by an alternative implementation.
  • Interfaces are closely related to the Servlet API.
  • High level of abstraction for web applications.
  • You can use different parts of Spring in web applications, not just Spring MVC.

2022: Zero-day vulnerability detection

The UserGate Monitoring and Response Center reported March 31, 2022, about the zero-day vulnerability in the Spring library running on JDK, which can damage a huge number of applications. At the end of March 2022, the CVE ID has not yet been assigned. The working title of the vulnerability is SpringShell.

The vulnerability exists in the Spring kernel on JDK version 9.0 and later.

In JDK version 9.0 and later, the attacker can access the AccessLogValve and transmit malicious field values through the parameter of the framework binding function, which leads to the execution of arbitrary code on the target system.

At the end of March 2022, it is known that two conditions are necessary for exploiting the vulnerability: the use of the Spring MVC framework and JDK version 9.0 and higher.

The company UserGate advises:

  • Upgrade the Spring Cloud Function to versions 3.1.7 and 3.2.3, respectively;
  • Verify that the subscription to the Security Updates module is up-to-date. When you use the UserGate signature profile, all new signatures start working automatically.

According to Rostelecom-Solar on April 8, 2022, the critical vulnerability CVE-2022-22965 according to CVSS was assigned a hazard assessment of 9.8/10 points. It has been fixed in Spring Framework 5.3.18 and 5.2.20.

The vulnerability was detected in the Spring Core module and allowed you to bind data in an http request to fields of application objects. The bug was contained in the implementation of the getCachedIntrospectionResults method, which can be used to unauthorized access to these objects when transmitting data of the class names of these objects through a specified HTTP request.

The vulnerability is present in Spring MVC and Spring WebFlux applications running under the Java Development Kit (version 9 +), the operation of which can lead to compromising a huge number of servers. Enterprise Java applications based on the Spring Framework with root rights are at the highest risk, since the vulnerability in them allows you to compromise the entire system.

2010

The current version of Spring (as of September 2010) is 3.0.3.

Despite the fact that the Spring Framework did not provide any specific programming model, it became widespread in the Java community mainly as an alternative and replacement for the Enterprise JavaBeans model. Spring Framework provides more freedom for Java developers in design, in addition, it provides well-documented and easy-to-use tools to solve problems that arise when creating industrial-scale applications.

Meanwhile, the features of the Spring Framework kernel are applicable in any Java application, and there are many extensions and enhancements to build web applications on the Java Enterprise platform. For these reasons, Spring has gained great popularity and is recognized by developers as a strategically important framework.

2004-2005: Stable releases

The first stable release of 1.0 was released in March 2004. Subsequent stable releases were released in September 2004 and March 2005.

2003: Apache 2.0 License Release

The framework was first released under the Apache 2.0 license in June 2003.

2002: First Version

The first version was written by Rod Johnson, who first published it with the publication of his book Expert One-on-One Java EE Design and Development (Wrox Press, October 2002).