recently ,Spring Cloud Function The official test case was exposed Spring Cloud Function SPEL
Expression injection vulnerability , This vulnerability can be exploited through injection SPEL Expression to trigger remote command execution .

Spring Cloud Function Is based on Spring Boot
Function calculation framework . Transfer details and infrastructure through abstraction , Keep familiar development tools and processes for developers , Let developers focus on implementing business logic , So as to improve the development efficiency .

Spring Cloud Function Is a project with the following high-level objectives :

* Promote the implementation of business logic through functions .
* Separate the development life cycle of business logic from any specific runtime goals , So that the same code can be used as Web Endpoint , Stream processor or task running .
* Support a unified programming model across serverless providers , And independent operation ( Local or in PaaS in ) Ability of .
* Enable on serverless providers Spring Boot function ( Auto configuration , Dependency injection , index ).
It abstracts all transmission details and infrastructure , Allow developers to retain all familiar tools and processes , And focus on business logic .

at present ,Spring Cloud Function It has been adopted by many technology giants , include AWS Lambda,Azure,Google Cloud
Functions,Apache OpenWhisk, There may be others “ No server ” Service provider .

The vulnerability has been classified as serious ,CVSS Score 9.0( Full mark 10).

The good news is , only Spring Cloud Function Certain version specific configurations of ( edition 3 <= edition <= 3.2.2) Dynamic routing of is affected .

The bad news is SpEL There are various variants of expressions , for example charset and replace, also   At the time of writing this article   No new version has been officially released . in addition , For this critical vulnerability
Exploit Already in Internet Available on .

Technology
©2019-2020 Toolsou All rights reserved,
【C++ Must see for entry 】C++ from 0 reach 1 Introductory programming axios Interceptor packaging and use Spring Boot Interview must ask : Automatic configuration principle VMware 16 install centos 7 Detailed tutorial C Language data structure - Sequence table delete duplicates V2.0.0 The 12th Blue Bridge Cup c++b Group personal problem solving On sending data from serial port single chip microcomputer to upper computer centos7 install RabbitMqjava Polymorphic array of opencv-python Fourier transform and inverse transform