Closed davidhcar closed 1 year ago
chrisknoll
commented
1 year ago Fortunately, we're not at risk. From the link you provided above:
These are the prerequisites for the exploit:
JDK 9 or higher Apache Tomcat as the Servlet container Packaged as WAR spring-webmvc or spring-webflux dependency
We'd like to move forward from JDK8, so when that happens we'll be able to use much more recent libraries.
davidhcar
commented
1 year ago @chrisknoll Thank you for looking into this.To clarify, we are using JDK8 so this is not at risk? and when we move away from JDK8 we will upgrade the affected spring packages(webmvc, webflux) and its dependencies ?
chrisknoll
commented
1 year ago That is my understanding of the vulnerability report: it requires JDK9+.
Yes, when we move away from JDK8, the primary reason for that will be to update our libraries to something much more recent (and hopefully more secure) that require a more recent version of JDK (JDK 15, 17, 19, or later)
davidhcar
commented
1 year ago Sounds good! Thank you @chrisknoll!
Expected behavior
spring-core with no vulnerabilities, recommended to upgrade to 5.2.20 or above
Actual behavior
The library org.springframework:spring-core version 4.3.25 was detected in Maven library manager located at WebAPI.war and is vulnerable to CVE-2022-22965, which exists in versions < 5.2.20.
The vulnerability can be remediated by updating the library to version 5.2.20 or higher, using mvn versions:use-latest-releases -Dincludes=org.springframework:spring-core.
Steps to reproduce behavior
One of our monitoring tool detected this version of spring-core has CRITICAL vulnerabilities that need immediate attention.