[FOLIO-3466] Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965) Created: 30/Mar/22  Updated: 19/Jan/23  Resolved: 19/Jan/23

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Umbrella Priority: P2
Reporter: Jakub Skoczen Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Blocks
is blocked by EDGINREACH-32 Spring4Shell Morning Glory (CVE-2022-... Closed
is blocked by CIRCSTORE-371 mod-pubsub-client 2.7.0, Spring 5.3.2... Closed
is blocked by EDGCSOFT-35 Spring4Shell Morning Glory (CVE-2022-... Closed
is blocked by EDGCSOFT-36 Spring4Shell Lotus R1 2022 (CVE-2022-... Closed
is blocked by EDGDEMATIC-63 Spring4Shell Morning Glory (CVE-2022-... Closed
is blocked by EDGDEMATIC-64 Spring4Shell Lotus (CVE-2022-22965) Closed
is blocked by FDIS-17 Spring4Shell RCE (CVE-2022-22965), sp... Closed
is blocked by MDEXP-529 Spring4Shell mod-data-export-spring-m... Closed
is blocked by MODAUD-119 Spring4Shell Morning Glory R2 2022 (C... Closed
is blocked by MODDATAIMP-730 Spring 5.3, kafkaclients 3.2.3, folio... Closed
is blocked by MODDATAIMP-732 Spring 5.2.22 fixing spring-beans Spr... Closed
is blocked by MODDICONV-260 spring-beans 5.3.20, Vert.x 4.3.3 fix... Closed
is blocked by MODDICONV-279 Spring 5.2.22 fixing vulnerabilities ... Closed
is blocked by MODPATBLK-152 spring-beans and scala-library vulns ... Closed
is blocked by MODPUBSUB-234 Release 2.5.1 for Lotus HF#1 fixing S... Closed
is blocked by MODPWD-93 Lotus: Spring4Shell (CVE-2022-22965) Closed
is blocked by MODSOURMAN-889 folio-di-support 1.6.0 fixing Spring4... Closed
is blocked by MODSOURMAN-923 Spring 5.2.22 fixing Spring4Shell CVE... Closed
is blocked by ERM-2082 Spring4Shell mod-agreements Morning G... Closed
is blocked by ERM-2083 Determine if any modules affected by ... Closed
is blocked by FDIS-19 Release folio-di-support 1.5.1 Closed
is blocked by MODCFIELDS-69 Upgrade Spring, RMB, folio-di-support... Closed
is blocked by MODEXPW-94 Spring4Shell Morning Glory R2 2022 (C... Closed
is blocked by MODEXPW-95 Spring4Shell Lotus R1 2022 (CVE-2022-... Closed
is blocked by EDGCSOFT-37 Spring4Shell Kiwi R3 2021 (CVE-2022-2... Closed
is blocked by EDGINREACH-33 Spring4Shell Lotus/Kiwi (CVE-2022-22965) Closed
is blocked by MODAUD-118 Spring4Shell Lotus R1 2022 (CVE-2022-... Closed
is blocked by MODLOGSAML-135 Spring4Shell: Update Spring fixing RC... Closed
is blocked by MODPUBSUB-233 folio-di-support 1.5.1, spring-beans ... Closed
Relates
relates to CIRCSTORE-373 Release mod-circulation-storage 14.1.... Closed
relates to CIRCSTORE-383 Spring 5.2.22 (Spring4Shell RCE), sca... Closed
Sprint:
Development Team: Spring Force
CSP Approved: Yes
RCA Group: TBD

 Description   

Official announcement from spring.io: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

There are three recent issues in Spring Framework:

This Jira is about the last one only. (The others may also be fixed by updating to a fixed version.)

Fix

42 FOLIO platform-complete modules use a vulnerable spring version.

https://github.com/folio-org/platform-complete/actions/workflows/spring-cve-2022-22965.yml automatically maintains a list of all FOLIO back-end modules showing their Spring4Shell status for Kiwi (R3 2021), Lotus (R1 2022), Morning Glory (R2 2022) and Nolana (R3 2022). The list is in "Run cat result.txt".

Patches are available:

  • Spring Framework 5.3.18 and 5.2.20
  • Spring Boot 2.6.6 and 2.5.12
  • Grails Core 5.1.6

It is NOT recommended to only apply workarounds (like not using Tomcat/Payara/Glassfish).
Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater.

Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :

we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

After applying the patch run

mvn dependency:tree -Dincludes=org.springframework:spring-beans

or

grails dependency-report runtime | grep spring-beans

and check that spring-beans version is >= 5.3.18 or >= 5.2.20.

Apply the patch on the default branch (main/master), the R2 2022 Morning Glory branch (if exists), and on the Lotus (R1 2022) branch, and release a patch version for Lotus.

We don't need any Kiwi back-port because there are no plans for a Kiwi hot fix #3.

Vulnerability

Explanation from snyk:

The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.
Affected versions of this package are vulnerable to Remote Code Execution via manipulation of ClassLoader that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim's application.

The vulnerability is in the spring-beans library of Spring Core in CachedIntrospectionResults.java. See the fix:
https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15
https://github.com/spring-projects/spring-framework/commit/996f701a1916d10202c1d0d281f06ab1f2e1117e

For details see
https://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html
https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html

Exploit

Quote from https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751 :

Note:

  • Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish.
  • However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.
  • As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.

Quote from https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement :

However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Requirements to exploit the vulnerability:

  • JDK9 and above (FOLIO uses JDK11)
  • Using the Spring-beans package
  • Spring parameter binding is used
  • Spring parameter binding uses non-basic parameter types, such as general POJOs

There can be multiple ways to exploit the vulnerability.

The easiest way to exploit the vulnerability is attacking an installation that runs on an external Tomcat (Apache Tomcat as the Servlet container). This is how the first known and published exploit works. There are reports about ongoing attacks.

FOLIO modules don't use an external Tomcat. Some use spring-boot-starter-tomcat, the embedded Tomcat, that cannot been attacked by the published exploit.

FOLIO modules don't use Payara or Glassfish for which public exploits have been published.

Other exploits are possible but not publicly known and not published.

Threat

As Spring Framework is one of the most popular frameworks for Java and for the Java virtual machine (JVM) it is likely that other exploits get developed that affect FOLIO modules - the risk becomes greater over time.

Therefore the patches should be applied to mitigate this risk.

Priority for edge modules is P2 because they are not behind Okapi but directly exposed to the internet. Priority for other modules is P3 for Lotus and P2 for Morning Glory and Nolana. Priority to be re-assessed if new findings are made.



 Comments   
Comment by Craig McNally [ 31/Mar/22 ]

The security team has reviewed this.  We don't think there's a reproducer for FOLIO Modules at this time since we're not using external Tomcat.  However, there may be additional/related attack vectors that would affect FOLIO.

Julian Ladisch is working on identifying the modules which may be affected (that use a vulnerable version of spring)

Comment by Julian Ladisch [ 31/Mar/22 ]

platform-complete, master branch (= Lotus R1 2022)
list spring-beans usage, mark <5.3.18 or <5.2.20.RELEASE as vuln

vuln 5.3.14         edge-caiasoft:1.2.0
  ok                edge-connexion:1.0.5
vuln 5.3.14         edge-dematic:1.5.0
vuln 5.2.9.RELEASE  edge-inn-reach:1.0.3
  ok                edge-ncip:1.7.0
  ok                edge-oai-pmh:2.4.2
  ok                edge-orders:2.5.0
  ok                edge-patron:4.8.0
  ok                edge-rtac:2.4.0
  ok                edge-sip2:2.2.0
vuln 5.1.16.RELEASE mod-agreements:5.1.1
vuln 5.2.8.RELEASE  mod-audit:2.3.0
  ok                mod-authtoken:2.9.1
  ok                mod-calendar:1.14.0
vuln 5.2.18.RELEASE mod-circulation-storage:14.0.0
vuln 5.2.7.RELEASE  mod-circulation:23.0.1
vuln 5.2.8.RELEASE  mod-codex-ekb:1.9.1
  ok                mod-codex-inventory:2.2.0
  ok                mod-codex-mux:2.11.1
  ok                mod-configuration:5.7.6
  ok                mod-copycat:1.2.1
  ok                mod-courses:1.4.3
  ok                mod-data-export-spring:1.3.0
vuln 5.3.14         mod-data-export-worker:1.3.1
vuln 5.1.1.RELEASE  mod-data-export:4.4.0
vuln 5.2.8.RELEASE  mod-data-import-converter-storage:1.13.2
vuln 5.2.8.RELEASE  mod-data-import:2.4.1
vuln 5.2.15.RELEASE mod-ebsconet:1.2.0
  ok                mod-email:1.13.0
vuln 3.0.6.RELEASE  mod-erm-usage-harvester:4.0.0
vuln 3.0.6.RELEASE  mod-erm-usage:4.3.0
  ok                mod-eusage-reports:1.1.1
  ok                mod-event-config:2.2.0
vuln 5.2.8.RELEASE  mod-feesfines:17.1.0
vuln 5.2.8.RELEASE  mod-finance-storage:8.1.0
vuln 5.2.7.RELEASE  mod-finance:4.4.0
  ok                mod-gobi:2.3.0
  ok                mod-graphql:1.9.0
vuln 5.3.5          mod-inn-reach:1.0.2
  ok                mod-inventory-storage:23.0.2
  ok                mod-inventory-update:2.0.2
  ok                mod-inventory:18.1.3
vuln 5.2.6.RELEASE  mod-invoice-storage:5.3.0
vuln 5.2.6.RELEASE  mod-invoice:5.3.1
vuln 5.3.16         mod-kb-ebsco-java:3.10.1
vuln 5.2.7.RELEASE  mod-ldp:1.0.2
vuln 5.1.16.RELEASE mod-licenses:4.1.1
vuln 5.3.7          mod-login-saml:2.4.3
  ok                mod-login:7.6.0
vuln 2.5.6          mod-ncip:1.10.0
vuln 5.3.15         mod-notes:3.0.0
  ok                mod-notify:2.10.0
vuln 5.1.1.RELEASE  mod-oai-pmh:3.7.1
vuln 5.2.8.RELEASE  mod-orders-storage:13.2.1
vuln 5.2.11.RELEASE mod-orders:12.3.1
  ok                mod-organizations-storage:4.2.0
vuln 5.2.8.RELEASE  mod-organizations:1.4.0
vuln 5.3.15         mod-password-validator:2.3.0
vuln 5.2.8.RELEASE  mod-patron-blocks:1.5.0
  ok                mod-patron:5.2.1
  ok                mod-permissions:6.0.2
vuln 5.2.8.RELEASE  mod-pubsub:2.5.0
vuln 5.3.15         mod-quick-marc:2.3.2
vuln 5.3.14         mod-remote-storage:1.5.0
  ok                mod-rtac:3.2.0
vuln 5.3.14         mod-search:1.6.1
  ok                mod-sender:1.7.0
vuln 5.1.16.RELEASE mod-service-interaction:1.0.0
vuln 5.2.8.RELEASE  mod-source-record-manager:3.3.3
vuln 5.2.8.RELEASE  mod-source-record-storage:5.3.1
vuln 5.3.15         mod-tags:1.1.0
  ok                mod-template-engine:1.16.0
  ok                mod-user-import:3.6.4
  ok                mod-users-bl:7.2.1
vuln 5.2.8.RELEASE  mod-users:18.2.0
  ok                mod-z3950:2.4.0
  ok                okapi:4.13.1
Comment by Julian Ladisch [ 31/Mar/22 ]

platform-complete, Kiwi R3 2022 branch
list spring-beans usage, mark <5.3.18 or <5.2.20.RELEASE as vuln

vuln 5.2.9.RELEASE  edge-caiasoft:1.1.2
  ok                edge-connexion:1.0.5
vuln 5.2.9.RELEASE  edge-dematic:1.3.2
vuln 5.2.9.RELEASE  edge-inn-reach:1.0.3
  ok                edge-ncip:1.6.2
  ok                edge-oai-pmh:2.4.2
  ok                edge-orders:2.4.2
  ok                edge-patron:4.6.2
  ok                edge-rtac:2.3.2
  ok                edge-sip2:2.1.4
vuln 5.1.16.RELEASE mod-agreements:5.0.7
vuln 5.2.8.RELEASE  mod-audit:2.2.2
  ok                mod-authtoken:2.9.1
  ok                mod-calendar:1.13.1
vuln 5.2.7.RELEASE  mod-circulation-storage:13.1.1
  ok                mod-circulation:22.1.4
vuln 5.2.8.RELEASE  mod-codex-ekb:1.9.1
  ok                mod-codex-inventory:2.1.1
  ok                mod-codex-mux:2.11.1
  ok                mod-configuration:5.7.6
  ok                mod-copycat:1.1.2
  ok                mod-courses:1.4.3
  ok                mod-data-export-spring:1.2.2
vuln 5.3.8          mod-data-export-worker:1.2.3
vuln 5.1.1.RELEASE  mod-data-export:4.2.4
vuln 5.2.6.RELEASE  mod-data-import-converter-storage:1.12.1
vuln 5.2.8.RELEASE  mod-data-import:2.2.1
vuln 5.2.15.RELEASE mod-ebsconet:1.1.1
  ok                mod-email:1.12.1
vuln 3.0.6.RELEASE  mod-erm-usage-harvester:3.1.4
vuln 3.0.6.RELEASE  mod-erm-usage:4.2.1
  ok                mod-eusage-reports:1.0.5
  ok                mod-event-config:2.1.1
vuln 5.2.8.RELEASE  mod-feesfines:17.0.2
vuln 5.2.8.RELEASE  mod-finance-storage:8.0.3
vuln 5.2.7.RELEASE  mod-finance:4.3.3
  ok                mod-gobi:2.2.1
  ok                mod-graphql:1.9.0
vuln 5.3.5          mod-inn-reach:1.0.2
  ok                mod-inventory-storage:22.0.4
vuln 5.2.8.RELEASE  mod-inventory:18.0.7
vuln 5.2.6.RELEASE  mod-invoice-storage:5.2.1
vuln 5.2.6.RELEASE  mod-invoice:5.2.5
vuln 5.2.8.RELEASE  mod-kb-ebsco-java:3.9.1
vuln 5.2.7.RELEASE  mod-ldp:1.0.2
vuln 5.1.16.RELEASE mod-licenses:4.0.0
vuln 5.3.7          mod-login-saml:2.4.3
  ok                mod-login:7.5.1
vuln 2.5.6          mod-ncip:1.9.1
vuln 5.2.8.RELEASE  mod-notes:2.13.2
  ok                mod-notify:2.9.1
vuln 5.1.1.RELEASE  mod-oai-pmh:3.7.1
vuln 5.2.8.RELEASE  mod-orders-storage:13.1.3
vuln 5.2.11.RELEASE mod-orders:12.2.5
  ok                mod-organizations-storage:4.1.1
vuln 5.2.8.RELEASE  mod-organizations:1.3.1
vuln 5.2.9.RELEASE  mod-password-validator:2.2.3
vuln 5.2.8.RELEASE  mod-patron-blocks:1.4.1
  ok                mod-patron:5.0.3
  ok                mod-permissions:5.14.4
vuln 5.2.8.RELEASE  mod-pubsub:2.4.3
vuln 5.2.9.RELEASE  mod-quick-marc:2.2.4
vuln 5.3.8          mod-remote-storage:1.4.2
  ok                mod-rtac:3.1.1
  ok                mod-search:1.5.4
  ok                mod-sender:1.6.1
vuln 5.1.16.RELEASE mod-service-interaction:1.0.0
  ok                mod-source-record-manager:3.2.9
vuln 5.2.8.RELEASE  mod-source-record-storage:5.2.8
vuln 5.3.8          mod-tags:1.0.2
  ok                mod-template-engine:1.15.1
  ok                mod-user-import:3.6.4
  ok                mod-users-bl:7.1.1
vuln 5.2.8.RELEASE  mod-users:18.1.2
  ok                mod-z3950:2.4.0
  ok                okapi:4.11.1
Comment by Craig McNally [ 06/Oct/22 ]

Looks like we still have ~10 or so vulnerable modules...  master branch as of today

ok 5.3.20         edge-caiasoft:1.3.1
7  ok                edge-connexion:1.0.5
8  ok 5.3.20         edge-dematic:1.6.1
9  ok                edge-ncip:1.8.0
10  ok                edge-oai-pmh:2.5.1
11  ok                edge-orders:2.6.3
12  ok                edge-patron:4.9.3
13  ok                edge-rtac:2.5.2
14  ok                edge-sip2:2.2.0
15  ok 5.2.22.RELEASE mod-agreements:5.2.2
16  ok 5.3.19         mod-audit:2.5.0
17  ok                mod-authtoken:2.11.0
18  ok                mod-calendar:1.15.0
19  ok                mod-circulation-storage:14.1.0
20  ok                mod-circulation:23.1.5
21  ok 5.3.20         mod-codex-ekb:1.10.0
22  ok                mod-codex-inventory:2.3.0
23  ok                mod-codex-mux:2.12.0
24  ok                mod-configuration:5.8.0
25  ok                mod-copycat:1.3.0
26  ok                mod-courses:1.4.5
27  ok 5.3.20         mod-data-export-spring:1.4.5
28  ok 5.3.20         mod-data-export-worker:1.4.10
29  ok 5.3.20         mod-data-export:4.5.1
30vuln 5.2.8.RELEASE  mod-data-import-converter-storage:1.14.1
31vuln 5.2.8.RELEASE  mod-data-import:2.5.0
32  ok 5.3.20         mod-ebsconet:1.3.3
33  ok                mod-email:1.14.0
34  ok                mod-erm-usage-harvester:4.1.0
35  ok                mod-erm-usage:4.4.0
36  ok                mod-eusage-reports:1.2.1
37  ok                mod-event-config:2.3.0
38vuln 5.2.8.RELEASE  mod-feesfines:18.0.2
39  ok 5.3.20         mod-finance-storage:8.2.3
40  ok 5.3.20         mod-finance:4.5.2
41  ok                mod-gobi:2.4.3
42  ok                mod-graphql:1.10.2
43  ok                mod-inventory-storage:24.1.0
44  ok                mod-inventory-update:2.2.0
45  ok                mod-inventory:18.2.2
46  ok 5.3.20         mod-invoice-storage:5.4.0
47vuln 5.3.21         mod-invoice:5.4.1
48vuln 5.3.21         mod-kb-ebsco-java:3.11.1
49vuln 5.2.7.RELEASE  mod-ldp:1.0.6
50  ok 5.2.22.RELEASE mod-licenses:4.2.1
51vuln 5.3.21         mod-login-saml:2.4.9
52  ok                mod-login:7.7.0
53vuln 5.3.22         mod-ncip:1.11.1
54  ok 5.3.20         mod-notes:3.1.2
55  ok                mod-notify:2.11.0
56  ok 5.3.20         mod-oai-pmh:3.9.1
57  ok 5.3.20         mod-orders-storage:13.3.3
58  ok 5.3.20         mod-orders:12.4.3
59  ok                mod-organizations-storage:4.3.0
60  ok 5.3.20         mod-organizations:1.5.0
61  ok 5.3.20         mod-password-validator:2.4.0
62vuln 5.2.8.RELEASE  mod-patron-blocks:1.6.0
63  ok                mod-patron:5.3.0
64  ok                mod-permissions:6.1.0
65  ok 5.3.20         mod-pubsub:2.6.1
66  ok 5.3.20         mod-quick-marc:2.4.2
67  ok 5.3.20         mod-remote-storage:1.6.0
68  ok                mod-rtac:3.3.0
69  ok 5.3.19         mod-search:1.7.5
70  ok                mod-sender:1.8.0
71  ok 5.2.22.RELEASE mod-service-interaction:1.1.0
72vuln 5.2.8.RELEASE  mod-source-record-manager:3.4.5
73  ok 5.3.20         mod-source-record-storage:5.4.2
74  ok 5.3.20         mod-tags:1.2.0
75  ok                mod-template-engine:1.17.0
76  ok                mod-user-import:3.6.6
77  ok                mod-users-bl:7.3.0
78  ok 5.3.20         mod-users:18.3.1
79  ok                mod-z3950:2.4.0
80  ok                okapi:4.14.4
Comment by Julian Ladisch [ 01/Dec/22 ]

For master branch of platform-complete (= Nolana) all has been fixed:

Spring4Shell CVE-2022-22965 - list spring-beans existence, mark <5.3.18 or <5.2.20.RELEASE as vuln

  ok 5.3.22         edge-caiasoft:1.4.0
  ok                edge-connexion:1.0.5
  ok 5.3.22         edge-dematic:1.7.0
  ok                edge-ncip:1.8.1
  ok                edge-oai-pmh:2.5.1
  ok                edge-orders:2.7.0
  ok                edge-patron:4.10.0
  ok                edge-rtac:2.6.0
  ok                edge-sip2:2.4.0
  ok 5.2.22.RELEASE mod-agreements:5.4.2
  ok 5.3.19         mod-audit:2.6.0
  ok                mod-authtoken:2.12.0
  ok 5.3.23         mod-calendar:2.3.0
  ok                mod-circulation-storage:15.0.2
  ok                mod-circulation:23.3.0
  ok                mod-configuration:5.9.0
  ok                mod-copycat:1.3.1
  ok                mod-courses:1.4.6
  ok 5.3.22         mod-data-export-spring:1.5.2
  ok 5.3.22         mod-data-export-worker:2.0.3
  ok 5.3.20         mod-data-export:4.6.1
  ok 5.3.20         mod-data-import-converter-storage:1.15.2
vuln 5.2.8.RELEASE  mod-data-import:2.6.1
  ok 5.3.22         mod-ebsconet:1.4.0
  ok                mod-email:1.15.2
  ok                mod-erm-usage-harvester:4.2.0
  ok                mod-erm-usage:4.5.1
  ok                mod-eusage-reports:1.2.2
  ok                mod-event-config:2.4.0
  ok 5.3.20         mod-feesfines:18.1.1
  ok 5.3.20         mod-finance-storage:8.3.1
  ok 5.3.20         mod-finance:4.6.2
  ok                mod-gobi:2.5.1
  ok                mod-graphql:1.10.2
  ok                mod-inventory-storage:25.0.2
  ok                mod-inventory-update:2.3.1
  ok                mod-inventory:19.0.1
  ok 5.3.23         mod-invoice-storage:5.5.0
  ok 5.3.21         mod-invoice:5.5.0
  ok 5.3.23         mod-kb-ebsco-java:3.12.1
  ok 5.3.23         mod-ldp:1.0.7
  ok 5.2.22.RELEASE mod-licenses:4.2.1
  ok 5.3.22         mod-login-saml:2.5.0
  ok                mod-login:7.8.0
  ok 5.3.22         mod-ncip:1.12.1
  ok 5.3.23         mod-notes:4.0.0
  ok                mod-notify:2.12.0
  ok 5.3.20         mod-oai-pmh:3.10.0
  ok 5.3.20         mod-orders-storage:13.4.0
  ok 5.3.20         mod-orders:12.5.3
  ok                mod-organizations-storage:4.4.0
  ok 5.3.20         mod-organizations:1.6.0
  ok 5.3.23         mod-password-validator:2.5.0
  ok 5.3.20         mod-patron-blocks:1.7.1
  ok                mod-patron:5.4.0
  ok                mod-permissions:6.2.0
  ok 5.3.20         mod-pubsub:2.7.0
  ok 5.3.23         mod-quick-marc:2.5.0
  ok 5.3.22         mod-remote-storage:1.7.0
  ok                mod-rtac:3.4.0
  ok 5.3.23         mod-search:1.8.0
  ok                mod-sender:1.9.0
  ok 5.2.22.RELEASE mod-service-interaction:2.0.0
  ok 5.3.20         mod-source-record-manager:3.5.3
  ok 5.3.20         mod-source-record-storage:5.5.2
  ok 5.3.23         mod-tags:1.3.0
  ok                mod-template-engine:1.18.0
  ok                mod-user-import:3.7.0
  ok                mod-users-bl:7.4.0
  ok 5.3.20         mod-users:19.0.0
  ok                mod-z3950:2.4.0
  ok                okapi:4.14.8

Note that mod-data-import has an affected spring-beans 5.2.8.RELEASE dependency, however, mod-data-import doesn't use this dependency. The unused spring-beans dependency has been removed from mod-data-import master: https://github.com/folio-org/mod-data-import/pull/232

Comment by Julian Ladisch [ 01/Dec/22 ]

For R2-2022 branch of platform-complete:

Spring4Shell CVE-2022-22965 - list spring-beans existence, mark <5.3.18 or <5.2.20.RELEASE as vuln

  ok 5.3.20         edge-caiasoft:1.3.1
  ok                edge-connexion:1.0.5
  ok 5.3.20         edge-dematic:1.6.1
  ok                edge-ncip:1.8.1
  ok                edge-oai-pmh:2.5.1
  ok                edge-orders:2.6.3
  ok                edge-patron:4.9.3
  ok                edge-rtac:2.5.2
  ok                edge-sip2:2.2.0
  ok 5.2.22.RELEASE mod-agreements:5.2.2
  ok 5.3.19         mod-audit:2.5.0
  ok                mod-authtoken:2.11.1
  ok                mod-calendar:1.15.0
  ok                mod-circulation-storage:14.1.1
  ok                mod-circulation:23.1.5
  ok 5.3.20         mod-codex-ekb:1.10.0
  ok                mod-codex-inventory:2.3.0
  ok                mod-codex-mux:2.12.0
  ok                mod-configuration:5.8.0
  ok                mod-copycat:1.3.1
  ok                mod-courses:1.4.6
  ok 5.3.20         mod-data-export-spring:1.4.5
  ok 5.3.20         mod-data-export-worker:1.4.11
  ok 5.3.20         mod-data-export:4.5.2
vuln 5.2.8.RELEASE  mod-data-import-converter-storage:1.14.3
  ok 5.2.22.RELEASE mod-data-import:2.5.1
  ok 5.3.20         mod-ebsconet:1.3.3
  ok                mod-email:1.14.0
  ok                mod-erm-usage-harvester:4.1.0
  ok                mod-erm-usage:4.4.1
  ok                mod-eusage-reports:1.2.2
  ok                mod-event-config:2.3.0
  ok 5.2.22.RELEASE mod-feesfines:18.0.3
  ok 5.3.20         mod-finance-storage:8.2.3
  ok 5.3.20         mod-finance:4.5.3
  ok                mod-gobi:2.4.4
  ok                mod-graphql:1.10.2
  ok                mod-inventory-storage:24.1.0
  ok                mod-inventory-update:2.2.0
  ok                mod-inventory:18.2.2
  ok 5.3.20         mod-invoice-storage:5.4.1
  ok 5.3.21         mod-invoice:5.4.2
  ok 5.3.21         mod-kb-ebsco-java:3.11.2
  ok 5.3.23         mod-ldp:1.0.7
  ok 5.2.22.RELEASE mod-licenses:4.2.1
  ok 5.3.21         mod-login-saml:2.4.9
  ok                mod-login:7.7.0
  ok 5.3.22         mod-ncip:1.11.1
  ok 5.3.20         mod-notes:3.1.2
  ok                mod-notify:2.11.0
  ok 5.3.20         mod-oai-pmh:3.9.1
  ok 5.3.20         mod-orders-storage:13.3.4
  ok 5.3.20         mod-orders:12.4.4
  ok                mod-organizations-storage:4.3.0
  ok 5.3.20         mod-organizations:1.5.0
  ok 5.3.20         mod-password-validator:2.4.0
vuln 5.2.8.RELEASE  mod-patron-blocks:1.6.0
  ok                mod-patron:5.3.0
  ok                mod-permissions:6.1.0
  ok 5.3.20         mod-pubsub:2.6.1
  ok 5.3.20         mod-quick-marc:2.4.2
  ok 5.3.20         mod-remote-storage:1.6.0
  ok                mod-rtac:3.3.0
  ok 5.3.19         mod-search:1.7.6
  ok                mod-sender:1.8.0
  ok 5.2.22.RELEASE mod-service-interaction:1.1.0
vuln 5.2.8.RELEASE  mod-source-record-manager:3.4.5
  ok 5.3.20         mod-source-record-storage:5.4.2
  ok 5.3.20         mod-tags:1.2.0
  ok                mod-template-engine:1.17.0
  ok                mod-user-import:3.6.6
  ok                mod-users-bl:7.3.0
  ok 5.3.20         mod-users:18.3.1
  ok                mod-z3950:3.0.1
  ok                okapi:4.14.7
Comment by Axel Dörrer [ 19/Jan/23 ]

 All occurences have been updated

Generated at Thu Feb 08 23:28:21 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.