[MODSOURMAN-923] Spring 5.2.22 fixing Spring4Shell CVE-2022-22965 (MG) - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P2
Resolution: Done
Affects Version/s: 3.4.5
Fix Version/s: 3.4.6
Labels:

Template:
Sprint:
Folijet Sprint 155
Story Points:
0
Development Team:
Folijet
Release:
Morning Glory (R2 2022) Hot Fix #1
Epic Link:
Batch Importer (Bib/Acq)
RCA Group:
Related dependency upgrade

Description

mod-source-record-manager 3.4.5 is used for Morning Glory platform-complete.

mod-source-record-manager 3.4.5 comes with the runtime dependency spring-beans 5.2.8.RELEASE that has the Spring4Shell Remote Code Execution vulnerability, for details see ~~FOLIO-3466~~ and https://nvd.nist.gov/vuln/detail/CVE-2022-22965 .

Fix: Upgrade Spring Framework from 5.2.8.RELEASE to 5.2.22.RELEASE.

And release as Morning Glory Hot Fix.

Note: This issue is for fixing Spring4Shell in Morning Glory only. For Nolana (and Orchid) it has been fixed with ~~MODSOURMAN-889~~.

TestRail: Results

Attachments

Issue Links

blocks

FOLIO-3466 Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)

Closed

MODSOURMAN-929 Release v3.4.6 (R2 MG HF#1)

Closed

defines

UXPROD-3725 NFR: Data Import Technical, NFR, & Misc work (Orchid R1 2023)

Closed

relates to

MODDATAIMP-750 Update util dependencies

Closed

MODDICONV-279 Spring 5.2.22 fixing vulnerabilities (Spring4Shell, etc.) MG

Closed

MODSOURMAN-889 folio-di-support 1.6.0 fixing Spring4Shell CVE-2022-22965

Closed

(1 relates to)

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 12/Dec/22 2:28 PM

Updated:: 18/Jan/23 9:35 AM

Resolved:: 21/Dec/22 10:43 AM

Spring 5.2.22 fixing Spring4Shell CVE-2022-22965 (MG)