[jira] [Commented] (HUDI-3819) upgrade spring cve-2022-22965

Tue, 12 Apr 2022 00:40:06 -0700 


    [ 
https://issues.apache.org/jira/browse/HUDI-3819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17520967#comment-17520967
 ] 

Sagar Sumit commented on HUDI-3819:
-----------------------------------

These are the prerequisites for the exploit:
 * JDK 9 or higher
 * Apache Tomcat as the Servlet container
 * Packaged as WAR
 * spring-webmvc or spring-webflux dependency

Should we treat it as blocker given that we don't officially support JDK 9 or 
higher?

Moreover, the vulnerability has not been patched in spring-shell yet, the 
latest artifact is still 1.2.0.RELEASE; 
[https://mvnrepository.com/artifact/org.springframework.shell/spring-shell]

And even the OSS release version is 2.0.1 which is about 4 years old: 
[https://github.com/spring-projects/spring-shell/releases/tag/v2.0.1.RELEASE]

so building from source wouldn't help much. At best, we can try to exclude 
spring-core from spring-shell and add the latest spring-core explicitly as a 
compile-time dependency. But, it could throw up some compatibility issues. I'll 
give it a try. However, imo, we can wait until there is an official patched 
spring-shell artifact available.

> upgrade spring cve-2022-22965
> -----------------------------
>
>                 Key: HUDI-3819
>                 URL: https://issues.apache.org/jira/browse/HUDI-3819
>             Project: Apache Hudi
>          Issue Type: Bug
>          Components: cli
>    Affects Versions: 0.9.0, 0.10.1
>            Reporter: Jason-Morries Adam
>            Assignee: Sagar Sumit
>            Priority: Blocker
>             Fix For: 0.11.0
>
>
> We should upgrade the Spring Framework version at Hudi CLI because of 
> cve-2022-22965. The Qualys Scanner finds these packages and raises a warning 
> because of the existence of these files on the system. 
> The found files are:
> /usr/lib/hudi/cli/lib/spring-beans-4.2.4.RELEASE.jar 
> /usr/lib/hudi/cli/lib/spring-core-4.2.4.RELEASE.jar
> More Information: 
> Spring Framework: https://spring.io/projects/spring-framework
> Spring project spring-framework release notes: 
> https://github.com/spring-projects/spring-framework/releases
> CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to