[
https://issues.apache.org/jira/browse/RANGER-4038?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17700511#comment-17700511
]
Himanshu Maurya edited comment on RANGER-4038 at 3/15/23 6:07 AM:
------------------------------------------------------------------
I have gone through some of the blogs
At some places it is mentioned that spring 6.0 comes with the support for java
17, they haven't mentioned that they have removed the support for older java
versions but one of the major change is they have moved from Java EE to Jakarta
EE9({_}javax.{*}{*}{_} ** to {_}jakarta{_}{*}_._{*}{_}){_}
In
[https://vived.io/new-era-for-spring-spring-framework-6-0-spring-boot-3-0-and-only-jdk-17-jvm-weekly-22/]
they are mentioning that new spring 6.0 supports only java 17 and doesn't
support older versions
[https://spring.io/blog/2022/11/16/spring-framework-6-0-goes-ga]
[https://github.com/spring-projects/spring-integration/wiki/Spring-Integration-5.x-to-6.0-Migration-Guide]
even here also they are mentioning that core framework for spring comes with
java 17+ baseline
As per my understanding we are still on Java 8 and we cannot upgrade spring to
6.x with current java version, so what can we do to resolve this?
was (Author: JIRAUSER298460):
I have gone through some of the blogs
At some places it is mentioned that spring 6.0 comes with the support for java
17, they haven't mentioned that they have removed the support for older java
versions but one of the major change is they have moved from Java EE to Jakarta
EE9({_}javax.*{_} to _jakarta.*)_
In
[https://vived.io/new-era-for-spring-spring-framework-6-0-spring-boot-3-0-and-only-jdk-17-jvm-weekly-22/]
they are mentioning that new spring 6.0 supports only java 17 and doesn't
support older versions
[https://spring.io/blog/2022/11/16/spring-framework-6-0-goes-ga]
[https://github.com/spring-projects/spring-integration/wiki/Spring-Integration-5.x-to-6.0-Migration-Guide]
even here also they are mentioning that core framework for spring comes with
java 17+ baseline
As per my understanding we are still on Java 8 and we cannot upgrade spring to
6.x with current java version, so what can we do to resolve this?
> Upgrade spring framework and spring security verisons
> -----------------------------------------------------
>
> Key: RANGER-4038
> URL: https://issues.apache.org/jira/browse/RANGER-4038
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Reporter: Himanshu Maurya
> Assignee: Himanshu Maurya
> Priority: Major
>
> Pivotal Spring Framework up to (excluding) 6.0.0 suffers from a potential
> remote code execution (RCE) issue if used for Java deserialization of
> untrusted data. Depending on how the library is implemented within a product,
> this issue may or not occur, and authentication may be required.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
