mod-remote-storage: folio-spring-base v4.1.0 update

Verify at snapshot-2 environment.

Mod-remote-storage responses after changes applied:

Response:

The ticket can be closed as done.

No, it is not enough. The lower version numbers in this pom.xml overwrite the higher version numbers provided by spring-boot-starter-parent. For details see comments on pull request.

Hello . Could you please clarify whether upgrading org.postgresql, com.hazelcast and org.apache.logging.log4j is enough? I mean that spring-kafka has 2.8.2 version against 2.8.6 in spring-boot-starter-parent-2.7.0.

The upgrade to spring-boot-starter-parent to 2.7.0 hasn't been fully completed.

These changes are missing:

spring-boot-starter-parent-2.7.0 ships with spring-boot-dependencies-2.7.0 with current versions of dependencies:

https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-starter-parent/2.7.0/spring-boot-starter-parent-2.7.0.pom
https://repo1.maven.org/maven2/org/springframework/boot/spring-boot-dependencies/2.7.0/spring-boot-dependencies-2.7.0.pom

Downgrading them to old versions pulls vulnerable versions into mod-remote-storage:

org.postgresql:postgresql@42.2.18 allows Remote Code Execution (RCE): https://nvd.nist.gov/vuln/detail/CVE-2022-21724 ; and Arbitrary Code Injection: https://security.snyk.io/vuln/SNYK-JAVA-ORGPOSTGRESQL-2401816

com.hazelcast:hazelcast@4.0.2 allows XML External Entity (XXE) Injection: https://app.snyk.io/vuln/SNYK-JAVA-COMHAZELCAST-1018909

org.apache.logging.log4j:log4j-core@2.16.0 allows Denial of Service (DoS): https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45105 ; and Arbitrary Code Execution: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44832