> On Apr 9, 2022, at 12:34 AM, Emmanuel Lécharny <[email protected]> wrote: > > comments inline > > On 08/04/2022 18:41, DONNELL M GARRETT wrote: >> On March 31, 2022 a pair of significant vulnerabilities were identified in >> the Java Spring Framework which would allow an attacker to execute malicious >> code. >> * CVE-2022-22963 - https://tanzu.vmware.com/security/cve-2022-22963 >> * CVE-2022-22965 - https://tanzu.vmware.com/security/cve-2022-22965 >> It is critical for all of our vendors to determine if their software is >> impacted so that remediation steps can be taken. We need your company to >> respond to the following questions immediately: >> * Is your product impacted by CVE-2022-22963 or CVE-2022-22965? > Mosty of our projects aren't impacted. We are investigating the > fortress-enmasse library. >
Fortress REST (enmasse) is not affected. > >> * Is your product built on Java? > yes > >> * Does your product depend on the Spring Cloud Function project? If so, >> what version? > no > >> * Does your product depend on Spring Framework? If so, what version? > fortress-enmasse is using springframework 5.3.17. We are currently assessing > the risks and will cut a release asap if needed. > Fortress REST does use spring-core and spring-security-web but neither pull in the affected artifacts, spring-webmvc and spring-flux as transient dependencies. Also, Fortress WEB (commander) pulls in spring-security-web, spring-config and other spring libs via wicket, but again, not pulling in the affected libs. >> * Does the product require JDK 9 or higher? > No, Java8 atm. > >> * Does the product have a dependency on spring-webmvc? > no > >> * Does the product have a dependency on spring-webflux? > no --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
