CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

[Benito Gonzalez]

Hi folks,

TLDR; uPortal is not affected by this CVE issue because it does not work with JDK 9+ right now.

We have been working to get portlets and uPortal to work with JDK11 over the last few months. That said, we still have a way to go before that effort is complete. Before we officially say we support JDK11+, we will need to also address our Spring versions. Currently, uPortal uses Spring 4 due to official support for portlets being removed in Spring 5. There is support outside the official Spring repos, so we will move forward with the Spring 5 upgrade later this year.

Have a great day!

-bjagg

--

Benito J. Gonzalez

Software Architect

Unicon, Inc.

209.777.2754

Email:  bgon...@unicon.net

GitHub:  bjagg

GitLab:  bjagg

BitBucket:  bjagg

[Julien Gribonvald]

Thanks Benito for the report !

On an other side, I would just advice/recommand to upgrade/check your java update version, the latest is the update 322.

For those who aren't adviced:

The free and open distribution AdoptOpenJdk was moved to Adoptium and the distribution name Temurin now, see https://blog.adoptopenjdk.net/2021/08/goodbye-adoptopenjdk-hello-adoptium/

And so to upgrade to the latest version you can follow this step by step blog/doc to install temium packaging: https://blog.adoptium.net/2021/12/eclipse-temurin-linux-installers-available/

Best regards

Julien Gribonvald

--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/CAJ_1GkTyR8vHuQOSzPp9hSoUE-RFrUcj-XNWohR1vgsa8oVDyA%40mail.gmail.com.