[jira] [Updated] (STORM-3839) Upgrade org.springframework:spring-core for CVE-2022-22965
[ https://issues.apache.org/jira/browse/STORM-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bipin Prasad updated STORM-3839: Issue Type: Dependency upgrade (was: Improvement) > Upgrade org.springframework:spring-core for CVE-2022-22965 > -- > > Key: STORM-3839 > URL: https://issues.apache.org/jira/browse/STORM-3839 > Project: Apache Storm > Issue Type: Dependency upgrade > Components: examples >Reporter: Bipin Prasad >Priority: Critical > Fix For: 2.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade org.springframework:spring-beans to version 5.2.20 or later. For > example: > {code:java} > > org.springframework > spring-beans > [5.2.20,) > > {code} > Upgrade org.springframework:spring-core to version 5.2.20 or later. For > example: > {code:java} > > org.springframework > spring-core > [5.2.20,) > > {code} > [CVE-2022-22965 |https://tanzu.vmware.com/security/cve-2022-22965]critical > severity > Vulnerable versions: < 5.2.20 > Patched version: 5.2.20 > Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code > execution vulnerability known as Spring4Shell. > Impact > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If the > application is deployed as a Spring Boot executable jar, i.e. the default, it > is not vulnerable to the exploit. However, the nature of the vulnerability is > more general, and there may be other ways to exploit it. > These are the prerequisites for the exploit: > JDK 9 or higher > Apache Tomcat as the Servlet container > Packaged as WAR > spring-webmvc or spring-webflux dependency > Patches > Spring Framework 5.3.18 and 5.2.20 > Spring Boot 2.6.6 and 2.5.12 > Workarounds > For those who are unable to upgrade, leaked reports recommend setting > disallowedFields on WebDataBinder through an @ControllerAdvice. This works > generally, but as a centrally applied workaround fix, may leave some > loopholes, in particular if a controller sets disallowedFields locally > through its own @InitBinder method, which overrides the global setting. > To apply the workaround in a more fail-safe way, applications could extend > RequestMappingHandlerAdapter to update the WebDataBinder at the end after all > other initialization. In order to do that, a Spring Boot application can > declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations > bean (Spring WebFlux). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (STORM-3839) Upgrade org.springframework:spring-core for CVE-2022-22965
[ https://issues.apache.org/jira/browse/STORM-3839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bipin Prasad updated STORM-3839: Fix Version/s: 2.5.0 > Upgrade org.springframework:spring-core for CVE-2022-22965 > -- > > Key: STORM-3839 > URL: https://issues.apache.org/jira/browse/STORM-3839 > Project: Apache Storm > Issue Type: Improvement > Components: examples >Reporter: Bipin Prasad >Priority: Critical > Fix For: 2.5.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade org.springframework:spring-beans to version 5.2.20 or later. For > example: > {code:java} > > org.springframework > spring-beans > [5.2.20,) > > {code} > Upgrade org.springframework:spring-core to version 5.2.20 or later. For > example: > {code:java} > > org.springframework > spring-core > [5.2.20,) > > {code} > [CVE-2022-22965 |https://tanzu.vmware.com/security/cve-2022-22965]critical > severity > Vulnerable versions: < 5.2.20 > Patched version: 5.2.20 > Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code > execution vulnerability known as Spring4Shell. > Impact > A Spring MVC or Spring WebFlux application running on JDK 9+ may be > vulnerable to remote code execution (RCE) via data binding. The specific > exploit requires the application to run on Tomcat as a WAR deployment. If the > application is deployed as a Spring Boot executable jar, i.e. the default, it > is not vulnerable to the exploit. However, the nature of the vulnerability is > more general, and there may be other ways to exploit it. > These are the prerequisites for the exploit: > JDK 9 or higher > Apache Tomcat as the Servlet container > Packaged as WAR > spring-webmvc or spring-webflux dependency > Patches > Spring Framework 5.3.18 and 5.2.20 > Spring Boot 2.6.6 and 2.5.12 > Workarounds > For those who are unable to upgrade, leaked reports recommend setting > disallowedFields on WebDataBinder through an @ControllerAdvice. This works > generally, but as a centrally applied workaround fix, may leave some > loopholes, in particular if a controller sets disallowedFields locally > through its own @InitBinder method, which overrides the global setting. > To apply the workaround in a more fail-safe way, applications could extend > RequestMappingHandlerAdapter to update the WebDataBinder at the end after all > other initialization. In order to do that, a Spring Boot application can > declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations > bean (Spring WebFlux). -- This message was sent by Atlassian Jira (v8.20.1#820001)