[ https://issues.apache.org/jira/browse/STORM-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bipin Prasad updated STORM-3839: -------------------------------- Issue Type: Dependency upgrade (was: Improvement) > Upgrade org.springframework:spring-core for CVE-2022-22965 > ---------------------------------------------------------- > > Key: STORM-3839 > URL: https://issues.apache.org/jira/browse/STORM-3839 > Project: Apache Storm > Issue Type: Dependency upgrade > Components: examples > Reporter: Bipin Prasad > Priority: Critical > Fix For: 2.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade org.springframework:spring-beans to version 5.2.20 or later. For > example: > {code:java} > <dependency> > <groupId>org.springframework</groupId> > <artifactId>spring-beans</artifactId> > <version>[5.2.20,)</version> > </dependency> > {code} > Upgrade org.springframework:spring-core to version 5.2.20 or later. For > example: > {code:java} > <dependency> > <groupId>org.springframework</groupId> > <artifactId>spring-core</artifactId> > <version>[5.2.20,)</version> > </dependency> > {code} > [CVE-2022-22965 |https://tanzu.vmware.com/security/cve-2022-22965]critical > severity > Vulnerable versions: < 5.2.20 > Patched version: 5.2.20 > Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code > execution vulnerability known as Spring4Shell. > Impact > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If the > application is deployed as a Spring Boot executable jar, i.e. the default, it > is not vulnerable to the exploit. However, the nature of the vulnerability is > more general, and there may be other ways to exploit it. > These are the prerequisites for the exploit: > JDK 9 or higher > Apache Tomcat as the Servlet container > Packaged as WAR > spring-webmvc or spring-webflux dependency > Patches > Spring Framework 5.3.18 and 5.2.20 > Spring Boot 2.6.6 and 2.5.12 > Workarounds > For those who are unable to upgrade, leaked reports recommend setting > disallowedFields on WebDataBinder through an @ControllerAdvice. This works > generally, but as a centrally applied workaround fix, may leave some > loopholes, in particular if a controller sets disallowedFields locally > through its own @InitBinder method, which overrides the global setting. > To apply the workaround in a more fail-safe way, applications could extend > RequestMappingHandlerAdapter to update the WebDataBinder at the end after all > other initialization. In order to do that, a Spring Boot application can > declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations > bean (Spring WebFlux). -- This message was sent by Atlassian Jira (v8.20.10#820010)