Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Spring Boot 3.1.8, Kafka 3.6.1, folio-spring-base 7.2.2

Description

Upgrade Spring Boot from 3.1.4 to 3.1.8.

The Spring Boot upgrade indirectly upgrades tomcat-embed-core from 10.1.13 to 10.1.18 fixing multiple vulnerabilities:

The Spring Boot upgrade indirectly upgrades spring-boot-starter-actuator from 3.1.4 to 3.1.8 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-34055

Upgrade kafka from 3.4.1 to 3.6.1. The kafka-client upgrade upgrades snappy-java from 1.1.8.4 to 1.1.10.5 fixing these vulnerabilities:

Upgrade folio-spring-base from 7.2.0 to 7.2.2.

The folio-spring-base upgrade indirectly upgrades commons-fileupload from 1.4 to 1.5 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-24998

The folio-spring-base upgrade indirectly upgrade spring-web from 6.0.12 to 6.0.16 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2023-34053

Move mockserver-client-java from runtime dependency to test dependency. This removes com.jayway.jsonpath:json-path@2.8.0 dependency from the runtime. That json-path version has a Buffer Overflow vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2023-51074

Exclude bouncycastle:bcprov-jdk18on and bouncycastle:bcpkix-jdk18on from mockserver-client-java dependency so that it no longer downgrades bcprov-jdk18on and bcpkix-jdk18on
from 1.73 (provided by folio-spring-base) to 1.72. 1.72 is vulnerable: https://nvd.nist.gov/vuln/detail/CVE-2023-33202

CSP Request Details

Approved by RMS panel at 02/26

CSP Rejection Details

None

Potential Workaround

None

defines

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch February 29, 2024 at 5:23 PM

mod-data-export-spring is a kafka consumer and therefore is vulnerable to the kafka issues. Therefore the released 3.0.3 version should be included into the next CSP.

Magda Zacharska February 29, 2024 at 5:10 PM

The observed failing jobs are caused by .

Magda Zacharska February 29, 2024 at 4:21 PM

I attempted to very on the bugfest environment but all exports fail. The issue might be environmental or related to the libraries updates.

Aliaksei Harbuz February 28, 2024 at 6:53 AM

released

Mikita Siadykh February 21, 2024 at 10:04 AM

hi

there is no label security-reviewed, should it be still released as CSP?

Done

Details

Assignee

Reporter

Labels

Priority

Story Points

Sprint

Development Team

Firebird

Fix versions

Release

Poppy (R2 2023) Service Patch #2

RCA Group

Related dependency upgrade

CSP Approved

Yes

Affected releases

Poppy (R2 2023)

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created January 26, 2024 at 10:29 PM
Updated March 18, 2024 at 10:36 PM
Resolved February 7, 2024 at 2:25 PM
TestRail: Cases
TestRail: Runs