[jira] [Updated] (IGNITE-16781) Upgrade org.springframework:spring-core for CVE-2022-22965 (a.k.a. Spring4Shell)

Mon, 18 Apr 2022 07:38:06 -0700 


     [ 
https://issues.apache.org/jira/browse/IGNITE-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Amelchev Nikita updated IGNITE-16781:
-------------------------------------
    Ignite Flags: Release Notes Required  (was: Docs Required,Release Notes 
Required)

> Upgrade org.springframework:spring-core for CVE-2022-22965 (a.k.a. 
> Spring4Shell)
> --------------------------------------------------------------------------------
>
>                 Key: IGNITE-16781
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16781
>             Project: Ignite
>          Issue Type: Bug
>          Components: spring
>            Reporter: Danut Radoaica
>            Assignee: Roman Puchkovskiy
>            Priority: Critical
>             Fix For: 2.14
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Upgrade org.springframework:spring-beans to version 5.2.20 or later
> Upgrade org.springframework:spring-core to version 5.2.20 or later
> Vulnerable versions: < 5.2.20
> Patched version: 5.2.20
> Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code 
> execution vulnerability known as Spring4Shell.
> Impact
> A Spring MVC or Spring WebFlux application running on JDK 9+ may be 
> vulnerable to remote code execution (RCE) via data binding. The specific 
> exploit requires the application to run on Tomcat as a WAR deployment. If the 
> application is deployed as a Spring Boot executable jar, i.e. the default, it 
> is not vulnerable to the exploit. However, the nature of the vulnerability is 
> more general, and there may be other ways to exploit it.
> These are the prerequisites for the exploit:
> JDK 9 or higher
> Apache Tomcat as the Servlet container
> Packaged as WAR
> spring-webmvc or spring-webflux dependency
> Patches
> Spring Framework 5.3.18 and 5.2.20
> Spring Boot 2.6.6 and 2.5.12
> Workarounds
> For those who are unable to upgrade, leaked reports recommend setting 
> disallowedFields on WebDataBinder through an @ControllerAdvice. This works 
> generally, but as a centrally applied workaround fix, may leave some 
> loopholes, in particular if a controller sets disallowedFields locally 
> through its own @InitBinder method, which overrides the global setting.
> To apply the workaround in a more fail-safe way, applications could extend 
> RequestMappingHandlerAdapter to update the WebDataBinder at the end after all 
> other initialization. In order to do that, a Spring Boot application can 
> declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations 
> bean (Spring WebFlux).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to