[
https://issues.apache.org/jira/browse/NIFI-9852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17515618#comment-17515618
]
ASF subversion and git services commented on NIFI-9852:
-------------------------------------------------------
Commit 7fde2bbfd1afdd6037765340eca9fc675542323e in nifi's branch
refs/heads/main from David Handermann
[ https://gitbox.apache.org/repos/asf?p=nifi.git;h=7fde2bb ]
NIFI-9852 Upgraded Spring Framework from 5.3.16 to 5.3.18
- Upgraded Spring Boot from 2.6.4 to 2.6.6
Signed-off-by: Nathan Gough <[email protected]>
This closes #5921.
> Upgrade Spring Framework to 5.3.18
> ----------------------------------
>
> Key: NIFI-9852
> URL: https://issues.apache.org/jira/browse/NIFI-9852
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Extensions, NiFi Registry, Security
> Affects Versions: 1.16.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: dependency-upgrade, security
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Spring Framework 5.3.18 corrects several issues, including
> [CVE-2022-22965|https://tanzu.vmware.com/security/CVE-2022-22965]. Spring
> Boot for NiFi Registry should also be upgraded to 2.6.6.
> The [Spring Framework
> announcement|https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement]
> lists the criteria for exploiting the vulnerability. Based on the current
> summary, NiFi and NiFi Registry do not appear to be impacted as both
> applications use Jetty instead of Apache Tomcat, and use JAX-RS with Jersey
> instead of Spring WebMVC or Spring Webflux for defining REST resources.
> Upgrading these dependencies mitigates potential issues.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
