How to fix CVE-2022-22965 in CAS6.2.4

[Thomas Tong]

     Our online CAS is running on 6.2.4, would you like to let me know if there are some ways to fix CVE-2022-22965 which is fixed in spring 5.3.18 and 5.2.20? Thank you very much.

[Dustin Luck]

According to the announcement from Spring, one workaround is to upgrade Tomcat until you can upgrade your CAS instance to a supported version.

"For older, unsupported Spring Framework versions, upgrading to Apache Tomcat 10.0.20, 9.0.62, or 8.5.78, provides adequate protection. However, this should be seen as a tactical solution, and the main goal should be to upgrade to a currently supported Spring Framework version as soon as possible."