Uploaded image for project: 'mod-data-import'
  1. mod-data-import
  2. MODDATAIMP-732

Spring 5.2.22 fixing spring-beans Spring4Shell CVE-2022-22965

    XMLWordPrintable

Details

    • 0
    • Folijet
    • Morning Glory (R2 2022) Hot Fix #1
    • Yes
    • Spring4Shell hot fixes have been approved on #release-bug-triage on 2022-05-06.
    • Related dependency upgrade

    Description

      Upgrade springframework from 5.2.8.RELEASE to 5.2.22.RELEASE to fix the Spring4Shell Remote Code Execution vulnerability in spring-beans (FOLIO-3466):

      https://nvd.nist.gov/vuln/detail/CVE-2022-22965

      Before the upgrade:

      $ mvn dependency:tree -Dincludes=org.springframework
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ mod-data-import ---
[INFO] org.folio:mod-data-import:jar:2.5.1-SNAPSHOT
[INFO] \- org.folio:folio-di-support:jar:1.4.1:compile
[INFO]    +- org.springframework:spring-core:jar:5.2.8.RELEASE:compile
[INFO]    |  \- org.springframework:spring-jcl:jar:5.2.8.RELEASE:compile
[INFO]    \- org.springframework:spring-context:jar:5.2.8.RELEASE:compile
[INFO]       +- org.springframework:spring-aop:jar:5.2.8.RELEASE:compile
[INFO]       +- org.springframework:spring-beans:jar:5.2.8.RELEASE:compile
[INFO]       \- org.springframework:spring-expression:jar:5.2.8.RELEASE:compile

      After the upgrade:

      $ mvn dependency:tree -Dincludes=org.springframework
-Dincludes=org.springframework
[INFO] --- maven-dependency-plugin:2.8:tree (default-cli) @ mod-data-import ---
[INFO] org.folio:mod-data-import:jar:2.5.1-SNAPSHOT
[INFO] \- org.folio:folio-di-support:jar:1.4.1:compile
[INFO]    +- org.springframework:spring-core:jar:5.2.22.RELEASE:compile
[INFO]    |  \- org.springframework:spring-jcl:jar:5.2.22.RELEASE:compile
[INFO]    \- org.springframework:spring-context:jar:5.2.22.RELEASE:compile
[INFO]       +- org.springframework:spring-aop:jar:5.2.22.RELEASE:compile
[INFO]       +- org.springframework:spring-beans:jar:5.2.22.RELEASE:compile
[INFO]       \- org.springframework:spring-expression:jar:5.2.22.RELEASE:compile

      TestRail: Results

        Attachments

          Issue Links

            blocks

            Umbrella - FOLIO-3466 Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Task - A task that needs to be done. MODDATAIMP-733 Release v2.5.1 (R2 Morning Glory Hot Fix)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            defines

            New Feature - New feature requests UXPROD-3557 NFR: Data Import Technical, NFR, & Misc work (Nolana R3 2022)

            • P2 - normal priority level, must be included in the current development cycle
            • Closed
            relates to

            Bug - A problem which impairs or prevents the functions of the product. MODDATAIMP-730 Spring 5.3, kafkaclients 3.2.3, folio-di-support 1.7.0

            • P2 - normal priority level, must be included in the current development cycle
            • Closed

            Activity

              People

                julianladisch Julian Ladisch
                julianladisch Julian Ladisch
                Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  TestRail: Runs

                    TestRail: Cases