[ https://issues.apache.org/jira/browse/RANGER-3691?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521228#comment-17521228 ]
kirby zhou commented on RANGER-3691: ------------------------------------ For me, if 2.3.0 will release before June, it is acceptable. If not, I suggest a 2.2.1 release with spring、log4j2、tomcat version bump。 > Upgrade spring to 5.3.18 CVE-2022-22965 > --------------------------------------- > > Key: RANGER-3691 > URL: https://issues.apache.org/jira/browse/RANGER-3691 > Project: Ranger > Issue Type: Bug > Components: admin, kms > Reporter: kirby zhou > Assignee: kirby zhou > Priority: Blocker > Fix For: 3.0.0, 2.3.0 > > > [https://tanzu.vmware.com/security/cve-2022-22965|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22965] > [https://github.com/spring-projects/spring-framework/releases] > > Spring has a new 0day Remote-Code-Execution problem, related to spring-beans > and JDK9+ > Fixed at spring 5.3.18 / 5.2.20 > -- This message was sent by Atlassian Jira (v8.20.1#820001)