daust
commented
2 years ago Hi Nancy,
thank you for bringing this to my attention. Reading the description of the vulnerability, it says:
The vulnerability impacts Spring MVC and Spring WebFlux applications running on JDK 9+.
I am using neither one in the Java application, the application is not based on the Spring Boot framework. Everything is done using plain and simple, old and tried servlet programming.
The dependency is required somehow by JasperReports itself, I believe it was for compiling the reports from .jrxml to .jasper on the fly. This is a feature of my integration. Thus, I would need the spring libraries. But they are not used in the context of a typical web application. And this is where the vulnerability can be exploited.
Therefore, I don't see it as a major issue. Nevertheless, you should be able to remove the vulnerable libraries from the .war file and replace them with more current versions.
If I find the time, I might publish an updated version, but I don't believe we are affected as of now.
For 2.9.0 I will use the most recent version of spring boot anyhow.
This is my dependency on the spring framework:
// https://mvnrepository.com/artifact/org.springframework/spring-core
implementation group: 'org.springframework', name: 'spring-core', version: '5.+'
// https://mvnrepository.com/artifact/org.springframework/spring-beans
implementation group: 'org.springframework', name: 'spring-beans', version: '5.+'It will always pick up the latest one.
You could even clone the repository and build it yourself.
Best ~Dietmar.
nlwilson02
A vulnerability has been announced with the Springframe work. The current spring versions included in 2.8.1 are listed as vulnerable versions.
https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Is there a plan to upgrade/replace the spring jar files in the jri.war file ?
Thanks, Nancy