hudi-bot opened a new issue, #15111: URL: https://github.com/apache/hudi/issues/15111
We should upgrade the Spring Framework version at Hudi CLI because of cve-2022-22965. The Qualys Scanner finds these packages and raises a warning because of the existence of these files on the system. The found files are: /usr/lib/hudi/cli/lib/spring-beans-4.2.4.RELEASE.jar /usr/lib/hudi/cli/lib/spring-core-4.2.4.RELEASE.jar More Information: Spring Framework: https://spring.io/projects/spring-framework Spring project spring-framework release notes: https://github.com/spring-projects/spring-framework/releases CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965 ## JIRA info - Link: https://issues.apache.org/jira/browse/HUDI-3819 - Type: Bug - Epic: https://issues.apache.org/jira/browse/HUDI-1388 - Affects version(s): - 0.10.1 - 0.9.0 --- ## Comments 12/Apr/22 07:39;codope;These are the prerequisites for the exploit: * JDK 9 or higher * Apache Tomcat as the Servlet container * Packaged as WAR * spring-webmvc or spring-webflux dependency Should we treat it as blocker given that we don't officially support JDK 9 or higher? Moreover, the vulnerability has not been patched in spring-shell yet, the latest artifact is still 1.2.0.RELEASE; [https://mvnrepository.com/artifact/org.springframework.shell/spring-shell] And even the OSS release version is 2.0.1 which is about 4 years old: [https://github.com/spring-projects/spring-shell/releases/tag/v2.0.1.RELEASE] so building from source wouldn't help much. At best, we can try to exclude spring-core from spring-shell and add the latest spring-core explicitly as a compile-time dependency. But, it could throw up some compatibility issues. I'll give it a try. However, imo, we can wait until there is an official patched spring-shell artifact available.;;; --- 12/Apr/22 08:22;codope;As suspected, there is a class not found issue after uograde. Details in this draft PR: https://github.com/apache/hudi/pull/5299 ;;; --- 12/Apr/22 14:33;jasonmadam;Hi [~codope], the official Spring site is listing spring-shell v2.0.1 as the current version: [https://spring.io/projects/spring-shell#overview] You can find the maven listing here: [https://mvnrepository.com/artifact/org.springframework.shell/spring-shell-starter] ;;; --- 12/Apr/22 15:50;codope;Ah I see, so it got renamed to spring-shell-starter. Let me try that.;;; --- 12/Apr/22 15:58;codope;So, as I mentioned before, v 2.0.1.RELEASE is still not patched. It still pulls in spring-core or spring-beans 4.3.12.RELEASE {code:java} [INFO] +- org.springframework.shell:spring-shell-starter:jar:2.0.1.RELEASE:compile [INFO] | +- org.springframework.shell:spring-shell-core:jar:2.0.1.RELEASE:compile [INFO] | | +- org.springframework.boot:spring-boot-starter:jar:1.5.8.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot:jar:1.5.8.RELEASE:compile [INFO] | | | | \- org.springframework:spring-context:jar:4.3.12.RELEASE:compile [INFO] | | | | +- org.springframework:spring-aop:jar:4.3.12.RELEASE:compile [INFO] | | | | \- org.springframework:spring-expression:jar:4.3.12.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot-autoconfigure:jar:1.5.8.RELEASE:compile [INFO] | | | +- org.springframework.boot:spring-boot-starter-logging:jar:1.5.8.RELEASE:compile [INFO] | | | | +- ch.qos.logback:logback-classic:jar:1.1.11:compile [INFO] | | | | | \- ch.qos.logback:logback-core:jar:1.1.11:compile [INFO] | | | | \- org.slf4j:log4j-over-slf4j:jar:1.7.25:compile [INFO] | | | +- org.springframework:spring-core:jar:4.3.12.RELEASE:compile [INFO] | | | \- org.yaml:snakeyaml:jar:1.17:runtime [INFO] | | +- org.springframework.boot:spring-boot-starter-validation:jar:1.5.8.RELEASE:compile [INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:8.5.23:compile [INFO] | | | \- org.hibernate:hibernate-validator:jar:5.3.5.Final:compile [INFO] | | | +- org.jboss.logging:jboss-logging:jar:3.3.0.Final:compile [INFO] | | | \- com.fasterxml:classmate:jar:1.3.1:compile [INFO] | | +- org.jline:jline:jar:3.4.0:compile [INFO] | | \- org.jline:jline-terminal-jna:jar:3.4.0:runtime [INFO] | | +- net.java.dev.jna:jna:jar:4.2.2:runtime [INFO] | | \- org.jline:jline-terminal:jar:3.4.0:runtime [INFO] | +- org.springframework.shell:spring-shell-standard:jar:2.0.1.RELEASE:compile [INFO] | +- org.springframework.shell:spring-shell-standard-commands:jar:2.0.1.RELEASE:compile [INFO] | +- org.springframework.shell:spring-shell-shell1-adapter:jar:2.0.1.RELEASE:compile [INFO] | +- org.springframework.shell:spring-shell-jcommander-adapter:jar:2.0.1.RELEASE:compile [INFO] | \- org.springframework.shell:spring-shell-table:jar:2.0.1.RELEASE:compile [INFO] | \- org.springframework:spring-beans:jar:4.3.12.RELEASE:compile {code} ;;; -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
