|
|
|
|
|
|
by signal11
672 days ago
|
|
|
Spring’s security record prior to 6 was pretty interesting. They had a bunch of RCE causing vulns they wouldn’t even recognise as vulns (eg due to Java deserialisation issues), which wasn’t a great look for something in use in many large companies. To be fair, Spring devs did say “don’t use it like that”, but devs of all skill levels use Spring, so that’s not great advice. It is much better now, but of course the latest thing is that it’s now owned by Broadcom. So if you as a contractor are foisting Spring upon your clients, I hope you’re ready with a security/fixes strategy, because don’t expect Broadcom to support old versions of Spring forever. Or else you could just pay Broadcom $$$. Good time to mention: users of open source Spring 5, it goes end of life this month. Hope you’re ready! |
|
|