Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerabilities affecting Spring Cloud Dataflow dependencies #5780

Closed
shalomyasap opened this issue Apr 17, 2024 · 2 comments · Fixed by #5804
Closed

Vulnerabilities affecting Spring Cloud Dataflow dependencies #5780

shalomyasap opened this issue Apr 17, 2024 · 2 comments · Fixed by #5804
Labels
area/dependencies Belongs project dependencies
Milestone
2.11.3

Comments

@shalomyasap
Copy link

shalomyasap commented Apr 17, 2024
edited
Loading

Running a vulnerabilities scan through the Spring Cloud Dataflow server returns some CVEs affecting the latest release:

  1. CVE-2024-23672 - tomcat-embed-websocket-9.0.83.jar
  2. CVE-2024-24549 - tomcat-embed-core-9.0.83.jar
  3. CVE-2024-22257 - spring-security-core-5.7.6.jar
  4. CVE-2024-29025 - netty-codec-http-4.1.101.Final.jar
  5. CVE-2023-52428 - nimbus-jose-jwt-9.22.jar
  6. CVE-2024-31033 - jjwt-impl-0.11.2.jar
  7. CVE-2024-22262 - spring-web-5.3.31.jar
  8. CVE-2016-1000027 - spring-web-5.3.31.jar

Could you confirm whether the App is affected by these vulnerabilities and if so, are there plans to update the related dependencies and release it soon?

This reference to latest release v2.11.2

Many thanks,
Shalom
@github-actions github-actions bot added the status/need-triage Team needs to triage and take a first look label Apr 17, 2024
@corneil corneil added area/dependencies Belongs project dependencies and removed status/need-triage Team needs to triage and take a first look labels Apr 17, 2024
@corneil
Copy link
Contributor

corneil commented Apr 17, 2024

2.11.3-SNAPSHOT is updating to Spring Framework 5.3.33
The only one that will remain is CVE-2016-1000027 with mitigation described here.

@shalomyasap
Copy link
Author

Thank you for the update.
When is version 2.11.3-SNAPSHOT expected to be released?

onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Netty and Reactor for CVE-2024-29025
c0d8f33 
* Updates Netty to 4.1.109.Final
* Updates Reactor BOM to 2020.0.43

See spring-cloud#5780
@onobc onobc mentioned this issue May 9, 2024
Merged
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Netty (and family) for CVE-2024-29025
4d9f517 
* Updates Netty to 4.1.109.Final
* Updates Reactor BOM to 2020.0.43
* Updates Rsocket BOM to 1.1.4

The updates to Reactor and Rsocket are not absolutely necessary as
they will use the updated Netty version. However, it is good hygiene to
keep them up-to-date.

See spring-cloud#5780
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Tomcat embedded to 9.0.88
d16970f 
Addresses the following CVEs:
- CVE-2024-23672
- CVE-2024-24549

See spring-cloud#5780
@onobc onobc mentioned this issue May 9, 2024
Merged
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Tomcat embedded to 9.0.88
628c700 
Addresses the following CVEs:
- CVE-2024-23672
- CVE-2024-24549

See spring-cloud#5780
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Tomcat embedded to 9.0.88
0f500e2 
Addresses the following CVEs:
- CVE-2024-23672
- CVE-2024-24549

See spring-cloud#5780
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Nimbus to 9.37.2 for CVE-2023-52428
c426eb7 
See spring-cloud#5780
@onobc onobc mentioned this issue May 9, 2024
Merged
corneil pushed a commit that referenced this issue May 9, 2024
@onobc
Update Netty (and family) for CVE-2024-29025 (#5796)
5248371 
* Updates Netty to 4.1.109.Final
* Updates Reactor BOM to 2020.0.43
* Updates Rsocket BOM to 1.1.4

The updates to Reactor and Rsocket are not absolutely necessary as
they will use the updated Netty version. However, it is good hygiene to
keep them up-to-date.

See #5780
corneil pushed a commit that referenced this issue May 9, 2024
@onobc
Update Nimbus to 9.37.2 for CVE-2023-52428 (#5799)
93b7580 
See #5780
corneil added a commit that referenced this issue May 9, 2024
@onobc @corneil
Update Tomcat embedded to 9.0.88 (#5797)
9efd42b 
Addresses the following CVEs:
- CVE-2024-23672
- CVE-2024-24549

See #5780

Co-authored-by: Corneil du Plessis <corneil.du-plessis@broadcom.com>
corneil added a commit to corneil/spring-cloud-dataflow that referenced this issue May 9, 2024
@corneil
Update for CVEs
44c0602 
Add dependencies to server projects to ensure they will take effect.

See spring-cloud#5780
@corneil corneil mentioned this issue May 9, 2024
Closed
@corneil corneil added this to the 2.11.3 milestone May 9, 2024
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Fix Tomcat embedded dep. mgmt.
9e839c5 
Update the dep. mgmt. entries for Tomcat embedded as the
previous commit used the wrong groupId (missing `.embed`
suffix).

See spring-cloud#5780
@onobc onobc mentioned this issue May 9, 2024
Merged
onobc added a commit that referenced this issue May 9, 2024
@onobc
Fix Tomcat embedded dep. mgmt. (#5803)
178a426 
* Fix Tomcat embedded dep. mgmt.

Update the dep. mgmt. entries for Tomcat embedded as the
previous commit used the wrong groupId (missing `.embed`
suffix).

See #5780
onobc added a commit to onobc/spring-cloud-dataflow that referenced this issue May 9, 2024
@onobc
Update Bouncycastle to 1.78.1 for CVE-2023-33201
585001a 
Resolves spring-cloud#5780
@onobc onobc mentioned this issue May 9, 2024
Merged
onobc added a commit that referenced this issue May 9, 2024
@onobc
Update Bouncycastle to 1.78.1 for CVE-2023-33201 (#5804)
3b9cf4e 
Resolves #5780
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dependencies Belongs project dependencies
Projects
None yet
Milestone
2.11.3
Development

Successfully merging a pull request may close this issue.

Update Bouncycastle to 1.78.1 for CVE-2023-33201 onobc/spring-cloud-dataflow
2 participants
@corneil @shalomyasap