Tech Support
Documentation
Login
Contact Us
2,300+
Enterprise Clients
TuxCare’s Upcoming Webinars: STIG Security 101 [Sept 18th] & When Spring Ends: How to Securely Work with End-of-Life Spring Projects [Sept 19th]
NEW PATCHES AVAILABLE FOR CVE-2025-22235 and CVE-2025-22234. See all recently fixed Spring CVEs here.
Most Spring projects rely on Spring Framework and Spring Boot. While some releases are designated as long-term support (LTS), many receive community support for only 12 to 18 months. After end of life, security patches stop – leaving unmaintained systems exposed.
When the Clock Runs Out,
Upgrading Isn’t Always Easy
Upgrading to newer versions can introduce compatibility issues –
especially for applications built on complex or legacy tech stacks.
Security
Security
Security
Security
Controllers (Web/API)
Controllers (Web/API)
Controllers (Web/API)
Controllers (Web/API)
Service Layer
Service Layer
Service Layer
Service Layer
Data Layer
Data Layer
Data Layer
Data Layer
Infra/Confirguration
Infra/Confirguration
Infra/Confirguration
Infra/Confirguration
- Almost complete backward compatibility
- Partial compatibility
- Low backward compatibility
Note: This visualization reflects typical upgrade pain points across application layers.
Failing to upgrade in time, can expose your systems to security
vulnerabilities and lead to compliance audit failures.
But, fortunately, there is a better path forward
with Endless Lifecycle Support from TuxCare.
With Endless Lifecycle Support
for Spring, you can:
Minimize Security Risks
Get ongoing security patches for Spring vulnerabilities while you strategize your upgrade
Preserve Compatibility
Avoid code refactoring and keep your Spring applications running smoothly for years to come
Ensure Compliance
Gain 14-day SLAs for security fixes and establish transparency with detailed SBOMs for each library
Spring Boot and Spring Framework
Support Lifecycles
Track key Spring Boot and Spring Framework milestones and see
how TuxCare extends your protection for as long as you need.
TuxCare Takes Up the Security Support Baton
for the Following Spring Versions
Project
Module
Version
Spring Framework
Spring Boot
Spring Data
Spring Security
Spring Batch
Spring Web Services
Spring Integration
Spring Hateoas
Spring LDAP
Spring GraphQL
Spring AMQP
Spring RetrySpring PluginModule
spring-aop
spring-aspects
spring-beans
spring-context
spring-context-indexer
spring-context-support
spring-core
spring-core-test
spring-expression
spring-instrument
spring-jcl
spring-jdbc
spring-jms
spring-messaging
spring-orm
spring-oxm
spring-r2dbc
spring-test
spring-tx
spring-web
spring-webflux
spring-webmvc
spring-websocket
spring-boot
spring-boot-actuator
spring-boot-actuator-autoconfigure
spring-boot-autoconfigure
spring-boot-dependencies
spring-boot-devtools
spring-boot-docker-compose
spring-boot-parent
spring-boot-test
spring-boot-test-autoconfigure
spring-boot-testcontainers
spring-boot-starter
spring-boot-starter-activemq
spring-boot-starter-actuator
spring-boot-starter-amqp
spring-boot-starter-aop
spring-boot-starter-artemis
spring-boot-starter-batch
spring-boot-starter-cache
spring-boot-starter-data-cassandra
spring-boot-starter-data-cassandra-reactive
spring-boot-starter-data-couchbase
spring-boot-starter-data-couchbase-reactive
spring-boot-starter-data-elasticsearch
spring-boot-starter-data-jdbc
spring-boot-starter-data-jpa
spring-boot-starter-data-ldap
spring-boot-starter-data-mongodb
spring-boot-starter-data-mongodb-reactive
spring-boot-starter-data-neo4j
spring-boot-starter-data-r2dbc
spring-boot-starter-data-redis
spring-boot-starter-data-redis-reactive
spring-boot-starter-data-rest
spring-boot-starter-freemarker
spring-boot-starter-graphql
spring-boot-starter-groovy-templates
spring-boot-starter-hateoas
spring-boot-starter-integration
spring-boot-starter-jdbc
spring-boot-starter-jersey
spring-boot-starter-jetty
spring-boot-starter-jooq
spring-boot-starter-json
spring-boot-starter-log4j2
spring-boot-starter-logging
spring-boot-starter-mail
spring-boot-starter-mustache
spring-boot-starter-oauth2-authorization-server
spring-boot-starter-oauth2-client
spring-boot-starter-oauth2-resource-server
spring-boot-starter-parent
spring-boot-starter-pulsar
spring-boot-starter-pulsar-reactive
spring-boot-starter-quartz
spring-boot-starter-reactor-netty
spring-boot-starter-rsocket
spring-boot-starter-security
spring-boot-starter-test
spring-boot-starter-thymeleaf
spring-boot-starter-tomcat
spring-boot-starter-undertow
spring-boot-starter-validation
spring-boot-starter-web
spring-boot-starter-web-services
spring-boot-starter-webflux
spring-boot-starter-websocket
spring-boot-antlib
spring-boot-autoconfigure-processor
spring-boot-buildpack-platform
spring-boot-cli
spring-boot-configuration-metadata
spring-boot-configuration-processor
spring-boot-gradle-plugin
spring-boot-jarmode-tools
spring-boot-loader
spring-boot-loader-classic
spring-boot-loader-tools
spring-boot-maven-plugin
spring-boot-properties-migrator
parent
build
build-resources
rest-webmvc
parent
rest-core
relational
relational-parent
redis
r2dbc
neo4j
mongodb
mongodb-parent
mongodb-distribution
ldap
keyvalue
jpa
jdbc
jdbc-distribution
elasticsearch
couchbase
commons
cassandra
cassandra-parent
bom
web
web
test
taglibs
saml2-service-provider
rsocket
remoting
openid
oauth2-resource-server
oauth2-resource-server
oauth2-jose
oauth2-jose
oauth2-core
oauth2-core
oauth2-client
oauth2-client
messaging
ldap
data
crypto
crypto
core
core
config
config
cas
bom
bom
aspects
acl
infrastructure
core
xml
ws
ws-test
ws-support
ws-core
ws-security
core
ws
bom
kafka
hateoas
core
graphql
graphql-test
rabbit
amqp
retry
plugin-core
Version
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
5.3.39; 6.1.20; 6.2.7
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18; 3.2.12; 3.3.12; 3.4.6
2.7.18
2.7.18
2.7.18
3.7.18
2.7.18
3.7.18
2.4.18
2.4.18
2.7.18
1.5.18
6.3.18
3.4.18
3.4.18
3.4.18
2.7.18
2.7.18
2.7.18
2.4.18
2.4.18
4.4.18
4.4.18
2.7.18
3.4.18
3.4.18
2021.2.18
5.8.15
5.7.11
5.8.15
5.8.15
5.8.15
5.8.15
5.8.15
5.8.15
5.8.15
5.7.11
5.8.15
5.7.11
5.8.15
5.7.11
5.8.15
5.7.11
5.8.15
5.8.15
5.8.15
5.8.15
5.7.11
5.8.15
5.7.11
5.8.15
5.7.11
5.8.15
5.8.15
5.7.11
5.8.15
5.8.15
4.3.10
4.3.10
3.1.8
3.1.8
3.1.8
3.1.8
3.1.8
3.1.8
5.5.20
5.5.20
5.5.20
5.5.20
1.5.6
2.4.1
1.0.6
1.0.6
2.4.17
2.4.17
1.3.4
2.0.0.RELEASE
Our Service Expands Your Protection by Also Patching
Transitive Dependencies, Including These Key Projects
Google
Guava
Apache
Santuario
Apache
Velocity
Apache
Kafka
SnakeYAML
Snappy
Java
Woodstox
Core
Jackson
Databind
Plexus Common
Utilities
Netty
Set Up Your Endless Support for
Spring in Just a Few Clicks
Step 1
Get your ELS for Spring
access credentials
Step 2
Adjust your Maven/Gradle
configuration files
Step 3
Switch to the TuxCare versions
of your libraries
New CVEs, No Problem
Vulnerabilities Don’t Wait – Neither Does ELS for Spring
Endless Lifecycle Support (ELS) for Spring rapidly delivers fixes for vulnerabilities across many end-of-life versions of various
Spring projects. As new CVEs emerge, TuxCare proactively addresses them.
If your tech stack still relies on outdated Spring versions, your applications are exposed to the security risks listed below.
Switch to Endless Lifecycle Support for Spring in just a few steps to start safeguarding your applications right away.
| CVE ID | Description | Severity | CWE-ID and name | Affected project | Affected versions | Publish date |
|---|---|---|---|---|---|---|
| CVE-2025-22235 | Spring Boot EndpointRequest.to() creates wrong matcher if actuator endpoint is not exposed | HIGH: 7.3 |
CWE-20: Improper Input Validation | Spring Boot | <2.7.0;2.7.24.2> <3.1.0;3.1.15.2> <3.2.0;3.2.13.2> <3.3.0;3.3.10> <3.4.0;3.4.4> |
April 24th 2025 |
| CVE-2025-22234 | Spring Security BCryptPasswordEncoder maximum password length breaks timing attack mitigation | MEDIUM: 5.3 | CWE-693: Protection Mechanism Failure | Spring Security | 5.7.16 only 5.8.16.tuxcare only 5.8.16.tuxcare.1 only 5.8.16.tuxcare.2 only 5.8.18 only 6.0.16 only 6.1.14 only 6.2.10 only 6.3.8 only 6.4.4 only |
April 22nd 2025 |
| CVE-2025-22228 | Spring Security BCryptPasswordEncoder does not enforce maximum password length | HIGH: 7.4 | CWE-287: Improper Authentication | Spring Security | 5.6.2 and older, <5.7.0;5.7.15>, <5.8.0;5.8.16>, <6.0.0;6.0.15>, <6.1.0;6.1.13>, <6.2.0;6.2.9>, <6.3.0;6.3.7>, <6.4.0;6.4.3> | March 19th 2025 |
| CVE-2024-38827 | Spring Security Authorization Bypass for Case Sensitive Comparisons | CRITICAL: 9.1 | CWE-639: Authorization Bypass Through User-Controlled Key | Spring Security | <5.7.0;5.7.13>, <5.8.0;5.8.15>, <6.0.0;6.0.13>, <6.1.0;6.1.11>, <6.2.0;6.2.7>, <6.3.0;6.3.4> | November 19th 2024 |
| CVE-2024-38829 | Spring LDAP sensitive data exposure for case-sensitive comparisons | LOW: 3.7 | CWE-178: Improper Handling of Case Sensitivity | Spring LDAP | All prior to 2.4.0, <2.4.0;2.4.3>, <3.0.0;3.0.9>, <3.1.0;3.1.7>, <3.2.0;3.2.7> | 19th November 2024 |
| CVE-2024-38828 | DoS via Spring MVC controller method with byte[] parameter | MEDIUM: 5.3 | CWE-400: Uncontrolled Resource Consumption | Spring Framework | All prior to 5.3.0, <5.3.0;5.3.41> | 15th November 2024 |
| CVE-2024-38821 | Authorization Bypass of Static Resources in WebFlux Applications | CRITICAL: 9.1 | CWE-770: Allocation of Resources Without Limits or Throttling | Spring Security | All prior to 5.7.13, <5.8.0;5.8.14>, <6.0.0;6.0.12>, <6.1.0;6.1.10>, <6.2.0;6.2.6>, <6.3.0;6.3.3> | 22nd of October 2024 |
Why TuxCare?
Extensive Coverage of Open-Source Technologies
We provide long-term security across your entire stack, supporting a wide and continually expanding set of open-source projects, libraries, and runtimes – all from a single, trusted partner.
Efficiencies in Build Chains and Testing
We utilize advanced automation across CVE discovery, backporting, building, and release workflows to accelerate delivery and ensure the highest possible quality of security patches.
Identification and Patching of Transitive Dependencies
We go beyond surface-level scanning to uncover and fix hidden vulnerabilities deep in your dependency trees, securing the entire software supply chain with precision and scale.
Fast and Consistent Delivery of Patches with Supporting SLAs
Automated pipelines and mature workflows ensure rapid, reliable patch delivery backed by SLAs – giving you confidence in your risk management and compliance posture.
We’ve Been Powering Enterprise-Grade Patching At
Unprecedented Scale – and We're Just Getting Started
10,000+
Packages Supported
197,000+
Patches Delivered
5,000+
Vulnerabilities Fixed
10,000+
Linux Kernels Continuously Patched
60+
Linux Distro Versions Supported
Looking to Ensure
the Security of Your Entire
Java Supply Chain?
Discover TuxCare’s SecureChain for Java to safeguard your entire Java tech stack so you can focus more on innovation. Our trusted repository offers secure, compliant Java libraries and packages, guaranteeing seamless operation without the need for resource-consuming code refactoring.
Long-Term Security After Standard Support Ends
TuxCare ELS continues to deliver enduring security for your distro, language, or software development framework for as many years as your organization requires
CentOS Stream
Endless Lifecycle Support for CentOS Stream 8
End of life: June 2024You can rely on Endless Lifecycle Support for CentOS Stream 8 to continue receiving security updates for as long as you need – so that you have enough time to migrate to another Linux distribution securely.
Learn More
Oracle Linux 7
Endless Lifecycle Support for Oracle Linux 7
End of life: December 2024Give your team plenty of time to upgrade to Oracle Linux 8 or 9 with ELS for Oracle Linux 7, which continues to deliver security patches for as long as you need at a much more affordable cost than an Oracle Premier Support plan.
Learn More
.NET 6.0
Endless Lifecycle Support for .NET
End of life: November 2024Keep using .NET 6 while continuing to receive security updates on both Windows and Linux, for as many years as you need, so your .NET applications remain secure, stable, and compatible until you’re ready to upgrade.
Learn More
Angular
Endless Lifecycle Support for Angular
End of life: Varies for different versionsNeed more time for a safe and smooth upgrade to the latest Angular version? With ELS from TuxCare, you can maintain the security, stability, and compatibility of your existing Angular applications for as many years as you need.
Learn More
AngularJS
Endless Lifecycle Support for AngularJS
End of life: December 2021Not ready to upgrade your end-of-life AngularJS applications just yet? TuxCare ELS lets you keep them secure, stable, and fully compatible for as long as you need — giving you the breathing room to upgrade when it works for you.
Learn More
Apache Tomcat
Endless Lifecycle Support for Apache Tomcat
End of life: March 2024Ensure your Apache Tomcat deployment stays protected without security risks or compatibility concerns. With ELS, you can continue using end-of-life Apache Tomcat versions with confidence for as long as you need.
Learn More
CentOS 6
Endless Lifecycle Support for CentOS 6
End of life: December 2020TuxCare’s Endless Lifecycle Support gives you the same official security patches you used to get with CentOS 6, and we’ll continue to provide you with ongoing security support for as many years as you need.
Learn More
CentOS 7
Endless Lifecycle Support for CentOS 7
End of life: June 2024CentOS 7 is going end of life in June 2024, but you can enjoy ongoing security updates for as long as you need with our Extended Lifecycle Support – buying time to plan your migration, while keeping your workload safe.
Learn More
Oracle Linux 6
Endless Lifecycle Support for Oracle Linux 6
End of life: March 2021TuxCare will deliver Extended Lifecycle Support for Oracle Linux 6 for as many years as you need, saving you significantly on costs compared to Oracle Linux Premier Support while providing the same vulnerability coverage.
Learn More
PHP
Endless Lifecycle Support for PHP
End of life:Buy yourself and your organization time to develop new production code while receiving ongoing security patches for out-of-support PHP versions with Endless Lifecycle Support to maintain the safety of your systems.
Learn More
Python
Endless Lifecycle Support for Python 2.x
End of life: January 2020Python Extended Lifecycle Service from TuxCare breathes new life into code written for Python 2.7 so you can continue using your existing software on AlmaLinux, Rocky, or Red Hat Enterprise Linux 9 as before.
Learn More
Ubuntu 16.04
Endless Lifecycle Support for Ubuntu 16.04
End of life: April 2021Save on costs compared to Ubuntu Pro for Ubuntu 16.04 when you choose TuxCare Endless Lifecycle Support for ongoing security maintenance, which will keep you protected for as many years as you need beyond the end-of-life date.
Learn More
Ubuntu 18.04
Endless Lifecycle Support for Ubuntu 18.04
End of life: June 2023Choose TuxCare for Ubuntu 18.04 endless support and save significantly over an Ubuntu Pro subscription from Canonical, with security updates for your Ubuntu workloads lasting as long as you need.
Learn More
Ubuntu 20.04
Endless Lifecycle Support for Ubuntu 20.04
End of life: End of Life: May 2025Continue safely working with Ubuntu 20.04 for as many years as you’d like, with TuxCare delivering ongoing security updates to protect your systems for as long as your organization needs.
Learn More
CentOS 8
Extended Lifecycle Support for CentOS 8
End of life: December 2021All the way through January 2026, you can rely on TuxCare for Extended Lifecycle Support to cover security updates for your CentOS 8 Linux distribution – so that you have enough time to migrate to another distro.
Learn More
RHEL 7
Endless Lifecycle Support for RHEL 7
End of life: June 2024Secure your RHEL 7 infrastructure beyond the end of life with ELS – an affordable, precision-engineered support solution that delivers ongoing security patches for as long as you need.
Learn More