[jira] [Commented] (IGNITE-16869) Upgrade org.springframework:spring-core in ignite-extensions for CVE-2022-22965 (a.k.a. Spring4Shell)

Mon, 18 Apr 2022 03:14:05 -0700 


    [ 
https://issues.apache.org/jira/browse/IGNITE-16869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523635#comment-17523635
 ] 

Roman Puchkovskiy commented on IGNITE-16869:
--------------------------------------------

The idea is to do the following:
 # Remove ignite-spring-data and ignite-spring-data_2.0
 # Update ignite-spring-data_2.2 module to depend on the latest Spring version 
in branch 5.2 (it's currently 5.2.21)
 # Probably also rename ignite-spring-data_2.2 extension to ignite-spring-data 
(dropping the version postfix).

> Upgrade org.springframework:spring-core in ignite-extensions for 
> CVE-2022-22965 (a.k.a. Spring4Shell)
> -----------------------------------------------------------------------------------------------------
>
>                 Key: IGNITE-16869
>                 URL: https://issues.apache.org/jira/browse/IGNITE-16869
>             Project: Ignite
>          Issue Type: Bug
>          Components: extensions
>            Reporter: Roman Puchkovskiy
>            Assignee: Roman Puchkovskiy
>            Priority: Critical
>             Fix For: 2.14
>
>
> Upgrade org.springframework:spring-beans to version 5.2.20 or later
> Upgrade org.springframework:spring-core to version 5.2.20 or later
> Vulnerable versions: < 5.2.20
> Patched version: 5.2.20
> Spring Framework prior to versions 5.2.20 and 5.3.18 contains a remote code 
> execution vulnerability known as Spring4Shell.
> Impact
> A Spring MVC or Spring WebFlux application running on JDK 9+ may be 
> vulnerable to remote code execution (RCE) via data binding. The specific 
> exploit requires the application to run on Tomcat as a WAR deployment. If the 
> application is deployed as a Spring Boot executable jar, i.e. the default, it 
> is not vulnerable to the exploit. However, the nature of the vulnerability is 
> more general, and there may be other ways to exploit it.
> These are the prerequisites for the exploit:
> JDK 9 or higher
> Apache Tomcat as the Servlet container
> Packaged as WAR
> spring-webmvc or spring-webflux dependency
> Patches
> Spring Framework 5.3.18 and 5.2.20
> Spring Boot 2.6.6 and 2.5.12
> Workarounds
> For those who are unable to upgrade, leaked reports recommend setting 
> disallowedFields on WebDataBinder through an @ControllerAdvice. This works 
> generally, but as a centrally applied workaround fix, may leave some 
> loopholes, in particular if a controller sets disallowedFields locally 
> through its own @InitBinder method, which overrides the global setting.
> To apply the workaround in a more fail-safe way, applications could extend 
> RequestMappingHandlerAdapter to update the WebDataBinder at the end after all 
> other initialization. In order to do that, a Spring Boot application can 
> declare a WebMvcRegistrations bean (Spring MVC) or a WebFluxRegistrations 
> bean (Spring WebFlux).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to