CVE-2022-22965: Spring Framework RCE via Data Binding on JDK 9+

3 views
Skip to first unread message

Benito Gonzalez

unread,
Mar 31, 2022, 7:48:34 PMMar 31
to uPortal Community, Developers, uPortal
Hi folks,

TLDR; uPortal is not affected by this CVE issue because it does not work with JDK 9+ right now.

We have been working to get portlets and uPortal to work with JDK11 over the last few months. That said, we still have a way to go before that effort is complete. Before we officially say we support JDK11+, we will need to also address our Spring versions. Currently, uPortal uses Spring 4 due to official support for portlets being removed in Spring 5. There is support outside the official Spring repos, so we will move forward with the Spring 5 upgrade later this year.

Have a great day!
-bjagg

--
Benito J. Gonzalez
Software Architect
Unicon, Inc.
GitHub:  bjagg
GitLab:  bjagg
BitBucket:  bjagg

Julien Gribonvald

unread,
Apr 1, 2022, 10:05:32 AMApr 1
to uport...@apereo.org

Thanks Benito for the report !

On an other side, I would just advice/recommand to upgrade/check your java update version, the latest is the update 322.

For those who aren't adviced:

The free and open distribution AdoptOpenJdk was moved to Adoptium and the distribution name Temurin now, see https://blog.adoptopenjdk.net/2021/08/goodbye-adoptopenjdk-hello-adoptium/

And so to upgrade to the latest version you can follow this step by step blog/doc to install temium packaging: https://blog.adoptium.net/2021/12/eclipse-temurin-linux-installers-available/

Best regards

Julien Gribonvald
--
You received this message because you are subscribed to the Google Groups "uPortal Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uportal-dev...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/uportal-dev/CAJ_1GkTyR8vHuQOSzPp9hSoUE-RFrUcj-XNWohR1vgsa8oVDyA%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages