spring-beans and scala-library vulns (CVE-2022-22965, CVE-2022-36944) MG

Description

For 2022-R2 Morning Glory Hot Fix:

Upgrade spring-beans from 5.2.8.RELEASE to 5.2.22.RELEASE fixing Spring4Shell Remote Code Execution:
https://nvd.nist.gov/vuln/detail/CVE-2022-22965

Upgrade scala-library from 2.13.1 to 2.13.10 fixing Remote Code Execution (RCE):
https://nvd.nist.gov/vuln/detail/CVE-2022-36944

Before the fix:

After the fix:

CSP Request Details

Spring4Shell hot fixes have been approved in #release_bug_triage on May 6th, 2022

CSP Rejection Details

None

Potential Workaround

None

Linked issues

blocks

FOLIO-3466

Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)

relates to

MODPATBLK-144

mod-pubsub-client 2.6.1 fixing Remote Code Execution

MODPATBLK-153

Release mod-patron-blocks v1.6.1

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch December 16, 2022 at 9:29 AM

For the reasons explained on FOLIO-3466 the FOLIO Security Team assigned priority P2 and suggests that it should be shipped with Morning Glory Hot Fix 1 or 2 provided that is gets approval in the release_bug_triage Slack channel.

Done

Details
Assignee
Julian Ladisch
Reporter
Julian Ladisch
Labels
back-endsecurity
Priority
P2
Development Team
Vega
Fix versions
1.6.1
1.8.0
Release
Morning Glory (R2 2022) Hot Fix #1
RCA Group
Related dependency upgrade
CSP Approved
Yes
TestRail: Cases
Open TestRail: Cases
TestRail: Runs
Open TestRail: Runs

Created December 2, 2022 at 8:22 AM

Updated February 20, 2023 at 7:04 AM

Resolved December 7, 2022 at 5:30 PM

Configure

TestRail: Cases

TestRail: Runs