mod-remote-storage: folio-spring-base v4.1.0 update

Description

Upgrade folio-spring-base to 4.1.0
Upgrade spring-boot-starter-parent to 2.7.*

Environment

None

Potential Workaround

None

Checklist

hide

TestRail: Results

Activity

Show:

Aliaksei Harbuz June 9, 2022 at 11:49 AM

Verify at snapshot-2 environment.

Mod-remote-storage responses after changes applied:

 

Response:

The ticket can be closed as done.

 

Julian Ladisch June 7, 2022 at 12:29 PM

No, it is not enough. The lower version numbers in this pom.xml overwrite the higher version numbers provided by spring-boot-starter-parent. For details see comments on pull request.

Oleksandr Bozhko June 6, 2022 at 9:42 AM

Hello . Could you please clarify whether upgrading org.postgresql, com.hazelcast and org.apache.logging.log4j is enough? I mean that spring-kafka has 2.8.2 version against 2.8.6 in spring-boot-starter-parent-2.7.0.

Julian Ladisch June 5, 2022 at 10:35 AM

The upgrade to spring-boot-starter-parent to 2.7.0 hasn't been fully completed.

These changes are missing:

spring-boot-starter-parent-2.7.0 ships with spring-boot-dependencies-2.7.0 with current versions of dependencies:

https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.7.0/spring-boot-starter-parent-2.7.0.pom
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.0/spring-boot-dependencies-2.7.0.pom

Downgrading them to old versions pulls vulnerable versions into mod-remote-storage:

org.postgresql:postgresql@42.2.18 allows Remote Code Execution (RCE): https://nvd.nist.gov/vuln/detail/CVE-2022-21724 ; and Arbitrary Code Injection: https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-2401816

com.hazelcast:hazelcast@4.0.2 allows XML External Entity (XXE) Injection: https://app.snyk.io/vuln/SNYK-JAVA-COMHAZELCAST-1018909

org.apache.logging.log4j:log4j-core@2.16.0 allows Denial of Service (DoS): https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45105 ; and Arbitrary Code Execution: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44832

Done

Details

Assignee

Reporter

Priority

Story Points

Sprint

Development Team

Firebird

Fix versions

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs
Created February 15, 2022 at 12:43 PM
Updated June 9, 2022 at 11:50 AM
Resolved June 9, 2022 at 11:50 AM
TestRail: Cases
TestRail: Runs