mod-remote-storage: folio-spring-base v4.1.0 update
Description
Environment
Potential Workaround
Checklist
hideTestRail: Results
Activity

Aliaksei Harbuz June 9, 2022 at 11:49 AM
Verify at snapshot-2 environment.
Mod-remote-storage responses after changes applied:
Response:
The ticket can be closed as done.

Julian Ladisch June 7, 2022 at 12:29 PM
No, it is not enough. The lower version numbers in this pom.xml overwrite the higher version numbers provided by spring-boot-starter-parent. For details see comments on pull request.

Oleksandr Bozhko June 6, 2022 at 9:42 AM
Hello . Could you please clarify whether upgrading org.postgresql, com.hazelcast and org.apache.logging.log4j is enough? I mean that spring-kafka has 2.8.2 version against 2.8.6 in spring-boot-starter-parent-2.7.0.

Julian Ladisch June 5, 2022 at 10:35 AM
The upgrade to spring-boot-starter-parent to 2.7.0 hasn't been fully completed.
These changes are missing:
spring-boot-starter-parent-2.7.0 ships with spring-boot-dependencies-2.7.0 with current versions of dependencies:
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.7.0/spring-boot-starter-parent-2.7.0.pom
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.0/spring-boot-dependencies-2.7.0.pom
Downgrading them to old versions pulls vulnerable versions into mod-remote-storage:
org.postgresql:postgresql@42.2.18 allows Remote Code Execution (RCE): https://nvd.nist.gov/vuln/detail/CVE-2022-21724 ; and Arbitrary Code Injection: https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-2401816
com.hazelcast:hazelcast@4.0.2 allows XML External Entity (XXE) Injection: https://app.snyk.io/vuln/SNYK-JAVA-COMHAZELCAST-1018909
org.apache.logging.log4j:log4j-core@2.16.0 allows Denial of Service (DoS): https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45105 ; and Arbitrary Code Execution: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44832
Details
Details
Assignee

Reporter

Upgrade folio-spring-base to 4.1.0
Upgrade spring-boot-starter-parent to 2.7.*