Security Vulnerability detected in spring-core version 4.3.25

[davidhcar]

Expected behavior

spring-core with no vulnerabilities, recommended to upgrade to 5.2.20 or above

Actual behavior

The library org.springframework:spring-core version 4.3.25 was detected in Maven library manager located at WebAPI.war and is vulnerable to CVE-2022-22965, which exists in versions < 5.2.20.

The vulnerability can be remediated by updating the library to version 5.2.20 or higher, using mvn versions:use-latest-releases -Dincludes=org.springframework:spring-core.

Steps to reproduce behavior

One of our monitoring tool detected this version of spring-core has CRITICAL vulnerabilities that need immediate attention.

[chrisknoll]

Fortunately, we're not at risk. From the link you provided above:

These are the prerequisites for the exploit:

JDK 9 or higher Apache Tomcat as the Servlet container Packaged as WAR spring-webmvc or spring-webflux dependency

We'd like to move forward from JDK8, so when that happens we'll be able to use much more recent libraries.

[davidhcar]

@chrisknoll Thank you for looking into this.To clarify, we are using JDK8 so this is not at risk? and when we move away from JDK8 we will upgrade the affected spring packages(webmvc, webflux) and its dependencies ?

[chrisknoll]

That is my understanding of the vulnerability report: it requires JDK9+.

Yes, when we move away from JDK8, the primary reason for that will be to update our libraries to something much more recent (and hopefully more secure) that require a more recent version of JDK (JDK 15, 17, 19, or later)

[davidhcar]

Sounds good! Thank you @chrisknoll!