[ https://issues.apache.org/jira/browse/IGNITE-16781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Amelchev Nikita updated IGNITE-16781: ------------------------------------- Ignite Flags: Release Notes Required (was: Docs Required,Release Notes Required) > Upgrade org.springframework:spring-core for CVE-2022-22965 (a.k.a. > Spring4Shell) > -------------------------------------------------------------------------------- > > Key: IGNITE-16781 > URL: https://issues.apache.org/jira/browse/IGNITE-16781 > Project: Ignite > Issue Type: Bug > Components: spring > Reporter: Danut Radoaica > Assignee: Roman Puchkovskiy > Priority: Critical > Fix For: 2.14 > > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade org.springframework:spring-beans to version 5.2.20 or later > Upgrade org.springframework:spring-core to version 5.2.20 or later > Vulnerable versions: < 5.2.20 > Patched version: 5.2.20 > Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code > execution vulnerability known as Spring4Shell. > Impact > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If the > application is deployed as a Spring Boot executable jar, i.e. the default, it > is not vulnerable to the exploit. However, the nature of the vulnerability is > more general, and there may be other ways to exploit it. > These are the prerequisites for the exploit: > JDK 9 or higher > Apache Tomcat as the Servlet container > Packaged as WAR > spring-webmvc or spring-webflux dependency > Patches > Spring Framework 5.3.18 and 5.2.20 > Spring Boot 2.6.6 and 2.5.12 > Workarounds > For those who are unable to upgrade, leaked reports recommend setting > disallowedFields on WebDataBinder through an @ControllerAdvice. This works > generally, but as a centrally applied workaround fix, may leave some > loopholes, in particular if a controller sets disallowedFields locally > through its own @InitBinder method, which overrides the global setting. > To apply the workaround in a more fail-safe way, applications could extend > RequestMappingHandlerAdapter to update the WebDataBinder at the end after all > other initialization. In order to do that, a Spring Boot application can > declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations > bean (Spring WebFlux). -- This message was sent by Atlassian Jira (v8.20.1#820001)