[
https://issues.apache.org/jira/browse/STORM-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Bipin Prasad updated STORM-3839:
--------------------------------
Issue Type: Dependency upgrade (was: Improvement)
> Upgrade org.springframework:spring-core for CVE-2022-22965
> ----------------------------------------------------------
>
> Key: STORM-3839
> URL: https://issues.apache.org/jira/browse/STORM-3839
> Project: Apache Storm
> Issue Type: Dependency upgrade
> Components: examples
> Reporter: Bipin Prasad
> Priority: Critical
> Fix For: 2.5.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Upgrade org.springframework:spring-beans to version 5.2.20 or later. For
> example:
> {code:java}
> <dependency>
> <groupId>org.springframework</groupId>
> <artifactId>spring-beans</artifactId>
> <version>[5.2.20,)</version>
> </dependency>
> {code}
> Upgrade org.springframework:spring-core to version 5.2.20 or later. For
> example:
> {code:java}
> <dependency>
> <groupId>org.springframework</groupId>
> <artifactId>spring-core</artifactId>
> <version>[5.2.20,)</version>
> </dependency>
> {code}
> [CVE-2022-22965 |https://tanzu.vmware.com/security/cve-2022-22965]critical
> severity
> Vulnerable versions: < 5.2.20
> Patched version: 5.2.20
> Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code
> execution vulnerability known as Spring4Shell.
> Impact
> A Spring MVC or Spring WebFlux application running on JDK 9+ may be
> vulnerable to remote code execution (RCE) via data binding. The specific
> exploit requires the application to run on Tomcat as a WAR deployment. If the
> application is deployed as a Spring Boot executable jar, i.e. the default, it
> is not vulnerable to the exploit. However, the nature of the vulnerability is
> more general, and there may be other ways to exploit it.
> These are the prerequisites for the exploit:
> JDK 9 or higher
> Apache Tomcat as the Servlet container
> Packaged as WAR
> spring-webmvc or spring-webflux dependency
> Patches
> Spring Framework 5.3.18 and 5.2.20
> Spring Boot 2.6.6 and 2.5.12
> Workarounds
> For those who are unable to upgrade, leaked reports recommend setting
> disallowedFields on WebDataBinder through an @ControllerAdvice. This works
> generally, but as a centrally applied workaround fix, may leave some
> loopholes, in particular if a controller sets disallowedFields locally
> through its own @InitBinder method, which overrides the global setting.
> To apply the workaround in a more fail-safe way, applications could extend
> RequestMappingHandlerAdapter to update the WebDataBinder at the end after all
> other initialization. In order to do that, a Spring Boot application can
> declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations
> bean (Spring WebFlux).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
