Open sethdarragile6 opened 1 year ago
Our spring-web version was identified by SecRel as a critical vulnerability. I acknowledge the vulnerability in Aqua with a reference to this ticket.
In branch yoom/use-secrel4 (which updates to use SecRel 4.0), I updated to spring_boot_version 2.7.6 for SecRel to pass due to Snyk alerts:
More and more aqua alerts coming up around 5.x versions of Spring lately. Might want to prioritize this ticket soon.
Note:
More SecRel issues based on spring-web
- Suppressed for 2 weeks
Note: Hyperlink can only be accessed if you are on Citrix or utilizing GFE.
Severity | Description | Remediation | Fix Version | Vulnerability Name -- | -- | -- | -- | -- Critical | Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. | Upgrade package spring-web to version 6.0.0 or above. | 6.0.0 | CVE-2016-1000027 Image: [abd-vro-internal/dev_vro-svc-bie-kafka:882d8a1](https://aqua.lighthouse.va.gov/#/images/Ad%20Hoc%20Scans/ghcr.io%2Fdepartment-of-veterans-affairs%2Fabd-vro-internal%2Fdev_vro-svc-bie-kafka:882d8a1/vulns?digest=sha256%3A466557ac64fca59ac789e05795f8e947bd94179cf96e4c757f933bff5b93d129) Note: Hyperlink can only be accessed if you are on Citrix or utilizing GFE. Severity Description Remediation Fix Version Vulnerability Name Critical Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Upgrade package spring-web to version 6.0.0 or above. 6.0.0 https://github.com/advisories/GHSA-4wrc-f8pq-fpqp
Description
Dependabot flagged 2 dependencies for update:
It was decided to delay this update. Per Afsin:
Acceptance Criteria