Uploaded image for project: 'mod-data-import'
  1. mod-data-import
  2. MODDATAIMP-732

Spring 5.2.22 fixing spring-beans Spring4Shell CVE-2022-22965

    XMLWordPrintable

Details

    • 0
    • Folijet
    • Morning Glory (R2 2022) Hot Fix #1
    • Yes
    • Spring4Shell hot fixes have been approved on #release-bug-triage on 2022-05-06.
    • Related dependency upgrade

    Description

      Upgrade springframework from 5.2.8.RELEASE to 5.2.22.RELEASE to fix the Spring4Shell Remote Code Execution vulnerability in spring-beans (FOLIO-3466):

      https://nvd.nist.gov/vuln/detail/CVE-2022-22965

      Before the upgrade:

      $ mvn dependency:tree -Dincludes=org.springframework
      [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ mod-data-import ---
      [INFO] org.folio:mod-data-import:jar:2.5.1-SNAPSHOT
      [INFO] \- org.folio:folio-di-support:jar:1.4.1:compile
      [INFO]    +- org.springframework:spring-core:jar:5.2.8.RELEASE:compile
      [INFO]    |  \- org.springframework:spring-jcl:jar:5.2.8.RELEASE:compile
      [INFO]    \- org.springframework:spring-context:jar:5.2.8.RELEASE:compile
      [INFO]       +- org.springframework:spring-aop:jar:5.2.8.RELEASE:compile
      [INFO]       +- org.springframework:spring-beans:jar:5.2.8.RELEASE:compile
      [INFO]       \- org.springframework:spring-expression:jar:5.2.8.RELEASE:compile
      

      After the upgrade:

      $ mvn dependency:tree -Dincludes=org.springframework
      -Dincludes=org.springframework
      [INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ mod-data-import ---
      [INFO] org.folio:mod-data-import:jar:2.5.1-SNAPSHOT
      [INFO] \- org.folio:folio-di-support:jar:1.4.1:compile
      [INFO]    +- org.springframework:spring-core:jar:5.2.22.RELEASE:compile
      [INFO]    |  \- org.springframework:spring-jcl:jar:5.2.22.RELEASE:compile
      [INFO]    \- org.springframework:spring-context:jar:5.2.22.RELEASE:compile
      [INFO]       +- org.springframework:spring-aop:jar:5.2.22.RELEASE:compile
      [INFO]       +- org.springframework:spring-beans:jar:5.2.22.RELEASE:compile
      [INFO]       \- org.springframework:spring-expression:jar:5.2.22.RELEASE:compile
      

      TestRail: Results

        Attachments

          Issue Links

            Activity

              People

                julianladisch Julian Ladisch
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases