[
https://issues.apache.org/jira/browse/NIFI-9852?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Handermann updated NIFI-9852:
-----------------------------------
Fix Version/s: 1.17.0
1.16.1
Resolution: Fixed
Status: Resolved (was: Patch Available)
> Upgrade Spring Framework to 5.3.18
> ----------------------------------
>
> Key: NIFI-9852
> URL: https://issues.apache.org/jira/browse/NIFI-9852
> Project: Apache NiFi
> Issue Type: Improvement
> Components: Core Framework, Extensions, NiFi Registry, Security
> Affects Versions: 1.16.0
> Reporter: David Handermann
> Assignee: David Handermann
> Priority: Major
> Labels: dependency-upgrade, security
> Fix For: 1.17.0, 1.16.1
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Spring Framework 5.3.18 corrects several issues, including
> [CVE-2022-22965|https://tanzu.vmware.com/security/CVE-2022-22965]. Spring
> Boot for NiFi Registry should also be upgraded to 2.6.6.
> The [Spring Framework
> announcement|https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement]
> lists the criteria for exploiting the vulnerability. Based on the current
> summary, NiFi and NiFi Registry do not appear to be impacted as both
> applications use Jetty instead of Apache Tomcat, and use JAX-RS with Jersey
> instead of Spring WebMVC or Spring Webflux for defining REST resources.
> Upgrading these dependencies mitigates potential issues.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
