Spring RCEs: Java 9+, Spring Framework

[Baron Fujimoto]

I haven't seen any mention of this on the list yet, but it has been recently disclosed that applications based on Spring and Java9+ may be vulnerable to severe RCEs.

Refs:

• <https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement>
• <https://tanzu.vmware.com/security/cve-2022-22965>

• <https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/>

It appears that CAS 6 may be vulnerable. Our CAS 6.3.7.4 at least appears to use spring-core-5.3.8.jar. Is there any info available on planned patches to address these issues?
--

Baron Fujimoto <ba...@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

[Mohamed Abouelela]

A patch just released

https://apereo.github.io/2022/03/31/spring-vuln/

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAAjLUL3PrjJ-L4v-diZ-4U8ehrBMSp%3DYA2j97XfZUXSjYYLSYw%40mail.gmail.com.

--

Best Regards,
Mohamed M. Aboulela

[harmeet singh]

Hi everyone,

I have gone through the blog post mentioned above, I see that spring version was updated from 5.3.9 to 5.3.18. However is there a need to update spring boot version as well from 2.5.4 to 2.5.12 ?

Thanks,

Harmeet

[artur mis]

Exacly what about :

 cat gradle.properties

cas.version=6.4.6.2

springBootVersion=2.5.7

[harmeet singh]

Hi Guys,

Any update on spring boot version.

https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now

Regards,