[jira] [Resolved] (AMQ-8612) Upgrade spring version to 5.3.20

Sat, 20 Aug 2022 23:00:09 -0700 


     [ 
https://issues.apache.org/jira/browse/AMQ-8612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jean-Baptiste Onofré resolved AMQ-8612.
---------------------------------------
    Fix Version/s:     (was: 5.18.0)
       Resolution: Duplicate

Already updated to Spring 5.3.22

> Upgrade spring version to 5.3.20
> --------------------------------
>
>                 Key: AMQ-8612
>                 URL: https://issues.apache.org/jira/browse/AMQ-8612
>             Project: ActiveMQ
>          Issue Type: Dependency upgrade
>    Affects Versions: 5.17.1
>            Reporter: Shubhangi Raut
>            Priority: Major
>              Labels: security
>
> *Description :*
> *Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: 5.3
> *Weakness :* CVE CWE: 770
> *Source :* National Vulnerability Database
> *Categories :* Data
> *Description from CVE :* In spring framework versions *prior to 5.3.20* and 
> old unsupported versions, applications that handle file uploads are 
> vulnerable to DoS attack if they rely on data binding to set a MultipartFile 
> or javax.servlet.Part to a field in a model object.
> *Explanation :* The spring-beans package is vulnerable to Allocation of 
> Resources Without Limits or Throttling. The constructor method in the 
> CachedIntrospectionResults class was disallowed from loading all ClassLoaders 
> in an attempt to avoid exposing dangerous classes that could lead to Remote 
> Code Execution vulnerabilities. This change caused the application server to 
> eventually crash in applications handling file uploads where MulipartFile and 
> javax.servlet.Part types are used in data binding. An attacker may craft 
> malicious file upload requests to Spring WebFlux or Spring MVC applications 
> and cause a Denial of Service [DoS] condition to servers that are affected by 
> this issue.
> The Sonatype security research team discovered that the root cause of the 
> vulnerability is in spring-beans, not directly in spring-mvc and 
> spring-webflux as the advisory states, and was introduced via a regression 
> following a fix for CVE-2022-22965 [SpringShell] in versions 5.2.20.RELEASE 
> for the 5.2.x branch, and 5.3.18 in the 5.3.x branch.
> *Detection :* The application is vulnerable by using this component.
> *Recommendation :* We recommend upgrading to a version of this component that 
> is not vulnerable to this specific issue.
> *CVE :* CVE-2022-22970
> *URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970]
> Please upgrade the spring-version to latest available 5.3.20.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to