What is the correct way to solve this vulnerability? Should we upgrade version spring shell version to 5.2.20
I am using Spring Boot directly – upgrade to version 2.6.6
JFrog platform is not vulnerable to SpringShell CVE-2022-22965.
JFrog's Security Research team investigated and detailed their findings and remediation strategies in this blog, and introducing a new set of OSS tools to help developers address this latest threat.
The documents from JFrog, below should help you on this issue and remediation
https://jfrog.com/blog/springshell-zero-day-vulnerability-all-you-need-to-know/
https://jfrog.com/blog/springshell-remediation-cookbook/
Related
Qualys reports that there are severe vulnerabilities in geoserver and geowebcache relating to the spring files. At the moment we run geoserver 2.20.4 and geowebcache 1.20.3, but still getting these vulnerabilities.
Which versions of geoserver and geowebcache are CLEAN?
Please respect the project's responsible disclosure guide lines - if you have an urgent need to have fixes applied to the project then you should do it yourselves or contract with a commercial supplier to do it for you.
Disclosure: I work for one of those suppliers.
Before the log4j shell issue happened last month I was using 'org.springframework.boot:spring-boot-starter-logging:1.5.22.RELEASE' which has internal dependencies on
ch.qos.logback:logback-classic:1.1.11 and ch.qos.logback:logback-core:1.1.11 jars respectively.
After that log4j shell issue occurred I had upgraded both the jars to version ch.qos.logback:logback-classic:1.2.3 and ch.qos.logback:logback-core:1.2.3 with gradle v3.5 which works fine. Now when I am trying to upgrade jars to logback-classic:1.2.10 and logback-core:1.2.10, this stops me while running the application stating below error:
org.gradle.tooling.BuildException: Could not execute build using Gradle distribution 'https://services.gradle.org/distributions/gradle-3.5-all.zip'.
Do I need to move to higher version of Grails or Gradle 3.5 have any issue with upgrade. Please any hint or guidance is most welcome.
From https://logback.qos.ch/news.html
We note that the vulnerability mentioned in CVE-2021-42550 requires
write access to logback's configuration file as a prerequisite. Please
understand that log4Shell and CVE-2021-42550 are of different severity
levels. In response to CVE-2021-42550 (aka LOGBACK-1591) we have
decided to make the following steps. 1) Hardened logback's JNDI lookup
mechanism to only honor requests in the java: namespace. All other
types of requests are ignored. Many thanks to Michael Osipov for
suggesting this change and providing the relvant PR. 2) SMTPAppender
was hardened. 3) Temporarily removed DB support for security reasons.
4) Removed Groovy configuration support. As logging is so
pervasive and configuration with Groovy is probably too powerful, this
feature is unlikely to be reinstated for security reasons. We note
that the aforementioned vulnerability requires write access to
logback's configuration file as a prerequisite. Please understand that
log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity
levels. A successul RCE attack with CVE-2021-42550 requires all of the
following conditions to be met: write access to logback.xml use of
versions < 1.2.9 reloading of poisoned configuration data, which
implies application restart or scan="true" set prior to attack As an
additional extra precaution, in addition to upgrading to logback
version 1.2.9, we also recommend users to set their logback
configuration files as read-only
For now no support for grails so v1.2.9 onwards logback is not supported for now.
My company's Sonatype scan shows Spring-Web is vulnerable even for the latest version (currently 5.2.3.RELEASE).
It reads:
"Found security vulnerability CVE-2016-1000027 with severity 9.8".
I noticed CVE-2016-1000027 is added to the NATIONAL VULNERABILITY DATABASE
on 01/02/2020, and it is in regards to
"Spring Framework 4.1.4 suffers from a potential remote code execution
(RCE) issue if used for Java deserialization of untrusted data".
Is this an obsolete ticket or has it not be resolved after 4 years?
This issue is resolved from a Spring Framework point of view, see my latest comment summarizing the situation on that issue. Your application is only vulnerable if you're using HTTPInvokerServiceExporter or RemoteInvocationSerializingExporter and reading data from untrusted sources.
Deserializing Java code from untrusted sources is a well-known problem in Java (so, all Java applications and Frameworks!), and this feature might be removed in future Java versions.
Given the nature of this security problem (there's no way to "fix it" besides removing the classes, which will be done in the next major version of Spring Framework), contacting your vendor or your security team is the best course of action. The Spring team is happy to help the community with this matter by providing more context on that issue if needed.
I am using the YangUI on the REST API of ODL(Oxygen Release) and I want to use the config features of opendaylight-inventory but I can only see the operational ones. Like this.
¿What can be the problem?
I have solved installing the same features on a previous ODL release. I don't know why but I can't see config features on Oxygen.
Does anyone know what the state is of the Spring Integration Extensions at https://github.com/spring-projects/spring-integration-extensions ?
Some seem outdated with regards to Spring versions. And others, whilst updated, don't seem to have recent releases or snapshots available at http://repo.spring.io/libs-snapshot/org/springframework/integration/ .
For example I wanted to integrate with AWS, but cant find a release or snapshot for the latest version of Spring Integration. And SQS support has been "coming soon" for some time.
The outdatedness of those that do exist, and lack of clarity on what is intended, make me concerned to use any of them. Does anyone know what the Spring team's intention is with regards to the release cycle of these extensions? Are they viewed as incubators that will eventually move into Spring Integration core, or something else?
Cheers,
Menno
Spring Integration extensions are community provided, and they will constantly change according to the will of the community. Your best chance is to get in touch with the contributors of the AWS extension.
You should use them, once you understand what they are doing, there are no more guarantees than other Spring projects, only the fact that others are also using it.