Spring Cloud Gateway Has a High-risk Vulnerability, and the Next-generation Cloud-native Gateway Is Just in Time

Spring Cloud Gateway Introduction:

In addition to the official gateway upgrade, is there a once-and-for-all solution?

Spring Cloud Gateway Sudden High Risk Vulnerability

The vulnerability of Log4j2 has just come to an end. Spring officially released two CVE vulnerabilities of Spring Cloud Gateway on March 1, 2022, namely CVE-2022-22946 (severity: Medium) and CVE-2022-22947 (code injection vulnerability) , Severity: Critical).
Official announcement address: https://spring.io/blog/2022/03/01/spring-cloud-gateway-cve-reports-published
Vulnerability details:
•CVE-2022-22947: Spring Cloud Gateway Code Injection Vulnerability
•CVE-2022-22946: Spring Cloud Gateway HTTP2 Insecure TrustManager
The official recommendation is to fix it by upgrading :
Spring Cloud users should upgrade to 2021.0.1 (which includes 3.1.1) or for 2020.0.x users should upgrade Spring Cloud Gateway to 3.0.7.

Spring Cloud Gateway.Besides upgrading, is there a one-and-done solution

Since the vulnerability is related to the gateway, it is obviously necessary to avoid such security risks at the root from the perspective of gateway construction. Next, we will start with the cloud native gateway capability provided by the microservice engine MSE .
Systematic Security Guarantee

In the cloud-native era dominated by container technology and K8s, cloud-native gateways break the traditional two-tier architecture of traffic gateways and microservices gateways , combine them into one, and improve systematic security.

Microservice engine MSE-cloud native gateway, built-in WAF (Web Application Firewall), and also supports integration of users' existing self-built security capabilities, allowing businesses to quickly build security barriers, supporting HTTPS certificates, IP blacklists, authentication and authorization (including JWT, OIDC and IDaaS ), abnormal traffic cleaning.
more powerful performance

Pressure test results :
•The TPS of the cloud native gateway is basically 2 times that of Spring Cloud Gateway and 5 times that of Zuul .
•The TPS of the cloud native gateway is about 90% higher than that of Nginx Ingress.
TLS hardware acceleration
With the increasing complexity of the network environment, the transmission security risks brought by the traditional HTTP plaintext transmission protocol are also increasing day by day. Therefore, the ciphertext transmission protocol of HTTPS has been widely recognized and widely used in the industry; everything has its two sides, HTTPS brings

While achieving higher transmission security, due to the need for authentication and data encryption and decryption, compared with HTTP, the use of HTTPS makes the website access speed "slower", and causes the server CPU consumption to increase, so the machine cost becomes more "expensive". ".

Spring Cloud Gateway.ECS products equipped with the latest Xeon processor Ice Lake in 2021, which will greatly increase the computing power by more than 50% by using the hardware features of the CPU . The Crypto Acceleration features provided, including Vector AES, can accelerate cryptographic calculations such as AES, RSA, and EC through the cooperation of multi-buffer lib. Using this feature enables HTTPS hardware acceleration to get rid of the limitation of dedicated hardware acceleration cards, and the use of CPU built-in instructions combined with SIMD mechanism can also greatly improve the performance of HTTPS.

Spring Cloud Gateway.Based on this, the cloud native gateway took the lead in completing its adaptation, bringing the performance advantages of hardware acceleration to users, and greatly improving the performance of HTTPS without increasing user resource costs.

Spring Cloud Gateway.The stress test data shows that after using TLS hardware acceleration, the TLS handshake delay is doubled compared to ordinary HTTPS requests, and the limit QPS is increased by more than 80%.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00