[
https://issues.apache.org/jira/browse/AXIS2-6032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518943#comment-17518943
]
Robert Lazarski commented on AXIS2-6032:
----------------------------------------
Don't think so.
The CVE says "A Spring MVC or Spring WebFlux application" . Axis2 is neither.
We only include spring-aop , spring-expression, and spring-jcl - not
spring-core nor spring-mvc etc.
We expect an Axis2 release in a week or two - just waiting on a Apache Axiom
release. It'll include the latest spring jars that we distribute.
Going to close the issue, though thanks for bringing it to our attention for
review.
In general, keep in mind that our lib deps on any project almost always merely
uses core functionality so you can almost always just drop in lib updates or
put them in you pom.xml etc - don't wait on us as these CVE's occur fast and
sometimes have multiple releases.
> About Spring RCE 0Days Vulnerability
> ------------------------------------
>
> Key: AXIS2-6032
> URL: https://issues.apache.org/jira/browse/AXIS2-6032
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.7.9, 1.8.0
> Reporter: yanglin
> Priority: Critical
>
> Hello !
> Is AXIS2 affected by spring rce vulnerability?
> if so , will a new version be released ?
>
> CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+
> may be vulnerable to remote code execution (RCE) via data binding
> https://nvd.nist.gov/vuln/detail/CVE-2022-22965
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org
