CVE-2022-22965

[bauerjs1]

Hello everybody,

first of all, thank you for the current update and its related security fixes! As you might know, a new day-0 security hole was found in the Spring core packages (CVE-2022-22965).

While building the new BPE image 0.5.5 (I'm building a custom image on top of it), Trivy scanner alerted me on this one:

+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
|             LIBRARY              | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION  |                 TITLE                 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+
| org.springframework:spring-beans | CVE-2022-22965   | CRITICAL | 5.3.16            | 5.3.18, 5.2.20 | spring-framework: RCE via             |
|                                  |                  |          |                   |                | Data Binding on JDK 9+                |
|                                  |                  |          |                   |                | -->avd.aquasec.com/nvd/cve-2022-22965 |
+----------------------------------+------------------+----------+-------------------+----------------+---------------------------------------+

Would it be possible to release a hotfix for this one by updating the Spring dependencies?

Thanks in advance and cheers, Johannes

P.S.: As noted in the release page, the recent update needs more maintenance than just bumping the image tags. Since I am not using the exact same deployment strategy than in the examples (no docker secrets, unified .env file for DSF-FHIR, Kubernetes Helm deployment for BPE), it is quite hard to find out breaking changes in the configuration of the containers themselves. Is there an overview somewhere? Moreover, if you're interested in the deployments I use (and publish in the Miracum context), let me know.

[bauerjs1]

Relates to #326

[hhund]

We have looked extensively at CVE-2022-22965 and especially the reports coming from the developers at Spring:

Am I Impacted? These are the requirements for the specific scenario from the report:

• Running on JDK 9 or higher
• Apache Tomcat as the Servlet container.
• Packaged as a traditional WAR and deployed in a standalone Tomcat instance. Typical Spring Boot deployments using an embedded Servlet container or reactive web server are not impacted.
• spring-webmvc or spring-webflux dependency.
• Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and older versions.

Based on the "Am I Impacted" statements and the actual code that was fixed, we have concluded that we are not impacted by CVE-2022-22965. We use Jetty as our Servlet container, the fhir and bpe applications are not packaged as WAR files and we have no dependency to spring-webmvc and spring-webflux.

I have added a few notes for none standard deployments to the upgrade guide.

The spring-beans dependency will be upgrade with the next scheduled release which is currently 0.6.0.

[bauerjs1]

Alright, thanks a lot for the explanation and the additional notes in the update guide! 👍🏻