Mark Paluch

Updates

• [06-20] CVE-2022-22980 is published
• [06-20] Spring Data MongoDB 3.4.1 and 3.3.5 are available

Table of Contents

• 概述
• Vulnerability
• Am I Impacted
• Status
• Suggested Workarounds

Overview

We would like to announce that we have released Spring Data MongoDB 3.4.1 and 3.3.5 to address the following CVE report:

• CVE-2022-22980: Spring Data MongoDB SpEL Expression injection vulnerability through annotated repository query methods

This vulnerability was responsibly reported by Zewei Zhang from NSFOCUS TIANJI Lab on Monday, June 13 2022. The full report will be published to MITRE and as security advisory under tanzu.vmware.com/security in the upcoming days.

On behalf of the team, I’m pleased to announce Spring Data service releases 2021.2.1 and 2021.1.5.
Both releases ship with a fix for mostly bug fixes and dependency upgrades.
For your convenience, Spring Boot 2.7.1 respective 2.6.9 are going to pick up these releases in the upcoming days.

In addition, these releases include fixes for one vulnerability:

• CVE-2022-22980
  “Spring Data MongoDB SpEL Expression Injection Vulnerability”
  SpEL injection attack in MongoDB applications through repository query methods annotated with @Query or @Aggregation using parametrized SpEL statements with non-sanitized input.
  Severity: High

On behalf of the team, I’m pleased to announce Spring Data service releases 2021.1.2 and 2020.0.9.
Both releases ship with mostly bug fixes and dependency upgrades.
For your convenience, Spring Boot 2.6.4 respective 2.5.10 are going to pick up these releases in the upcoming days.

Along with the service releases, we released the next milestone 2021.2.0-M3 of the 2021.2 release train. We have summarized the new and noteworthy changes in our release notes.

To round things off, here are the links to the individual modules, changelogs, and documentation:

On behalf of the team and everyone who contributed, I’m pleased to announce the availability of the first round of milestones of the Spring Data 2022.0 and 2021.2 release trains.

2021.x vs. 2022.x

You might now ask why is there a new release in the calver 2021.x version and why is there already a 2022.x release?

In parallel to working on Spring Data 3.x, aka 2022.0.0, we continue to invest in the support of the Spring Data 2.x development line. We already expect Spring Data 2.7 and 2.8 releases. So, if you want to continue using Spring Boot 2 for an extended period of time, stick to the 2021.x release trains (which are based on Spring Framework 5.3 and Java 8). That’s the reason we chose to continue with calver 2021.x, which, hopefully, makes understanding version compatibilities easier.
Our Spring Data 3.x development line will be based on Java 17 and Spring Framework 6 and be compatible with Spring Boot 3.

Dear Spring community,

On behalf of the Spring Data team and everyone who contributed, it is my pleasure to announce that Spring Data 2021.1.0 has entered its release candidate phase by releasing RC1 today. It is available from the milestone repository. This release ships with several tickets fixed. The most notable changes are:

• Deprecate support for RxJava 2 in preparation for removal of RxJava 2 support with Spring Data 3.0.
• Fluent Query API for Querydsl and Query-by-Example, allowing for projections, pagination, and consuming results as a Stream.
• Spring Data JDBC ships with a refined SQL DSL, accepting complex JOIN conditions and subselects.
• Support for exists and not empty keywords in Elasticsearch repository query methods and support for field exclusion in source.
• Improve mapping performance for custom queries and paths in Neo4j and support for ReactiveQuerydslPredicateExecutor.

On behalf of the team, I’m pleased to announce the availability of the Spring Data 2021.0.6 and 2020.0.14 service releases.

Both releases are built on top of Spring Framework 5.3.11. For your convenience, you can consume Spring Data 2021.0.6 and 2020.0.14 through the upcoming Spring Boot releases 2.5.6 and 2.4.12, respectively.

Both service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.6

• Spring Data Commons 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JDBC 2.2.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JPA 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Geode 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Neo4j 6.1.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Cassandra 3.2.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data MongoDB 3.2.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data KeyValue 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data R2DBC 1.3.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data LDAP 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Envers 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data REST 3.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Redis 2.5.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Elasticsearch 4.2.6 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Couchbase 4.2.6 - Artifacts - Javadoc - Documentation - Changelog

On behalf of the team, I’m pleased to announce the availability of the Spring Data 2021.0.5 and 2020.0.13 service releases.

Both releases are built on top of Spring Framework 5.3.10. For your convenience, you can consume Spring Data 2021.0.5 and 2020.0.13 through the upcoming Spring Boot releases 2.5.5 and 2.4.11, respectively.

Both service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.5

• Spring Data Commons 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JDBC 2.2.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JPA 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data MongoDB 3.2.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data KeyValue 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Neo4j 6.1.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Geode 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Cassandra 3.2.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data R2DBC 1.3.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data LDAP 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Envers 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data REST 3.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Redis 2.5.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Elasticsearch 4.2.5 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Couchbase 4.2.5 - Artifacts - Javadoc - Documentation - Changelog

On behalf of the team, I’m delighted to announce the availability of the third Spring Data 2021.1.0 milestone. This release is the last milestone before entering the RC phase on mid October. This release ships besides numerous bugfixes and dependency upgrades a series of notable enhancements:

General

• Support jMolecules’ @Identity as ID annotation
• Publish delete events by repository methods deleteInBatch and deleteAllInBatch methods

MongoDB

• Support for MongoDB 5.0 aggregation stages and operators including $setWindowFields for aggregations using time-series.
• Configuration options for MongoDB’s versioned Server API.
• Schema derivation for encrypted fields.

On behalf of the team, I’m pleased to announce the availability of the Spring Data service 2021.0.2 and 2020.0.10 releases.

Both releases are built on top of Spring Framework 5.3.8. For your convenience, you can consumer these releases through Spring Boot 2.5.2 and 2.4.8, respectively.

The service releases ship with mostly bug fixes and dependency upgrades.

To round things off, here are the links to the artifacts, changelogs, and documentation:

2021.0.2

• Spring Data Commons 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JDBC 2.2.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data JPA 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data KeyValue 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Cassandra 3.2.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data MongoDB 3.2.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data for Apache Geode 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Neo4j 6.1.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data R2DBC 1.3.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data LDAP 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Envers 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data REST 3.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Redis 2.5.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Elasticsearch 4.2.2 - Artifacts - Javadoc - Documentation - Changelog
• Spring Data Couchbase 4.2.2 - Artifacts - Javadoc - Documentation - Changelog