[MODCITEM-8] Upgrade Spring Boot, Kafka, Hazelcast fixing vulns Created: 23/Nov/23  Updated: 20/Dec/23  Resolved: 20/Dec/23

Status: Closed
Project: mod-circulation-item
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Unassigned
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines SECURITY-19 CVE-2023-43642 snappy-java DoS. Analy... Approved
Sprint:
Development Team: Volaris
Release: Quesnelia (R1 2024)
RCA Group: Related dependency upgrade

 Description   

Upgrade Spring Boot from 3.1.4 to 3.1.5.

The Spring Boot upgrade indirectly upgrades tomcat-embed-core from 10.1.13 to 10.1.15 fixing Denial of Service (DoS) and Improper Input Validation and Incomplete Cleanup
: https://nvd.nist.gov/vuln/detail/CVE-2023-44487 , https://nvd.nist.gov/vuln/detail/CVE-2023-45648 , https://nvd.nist.gov/vuln/detail/CVE-2023-42795

Upgrade spring-kafka from 3.0.11 to 3.1.0 and - correspondingly -
kafka from 3.4.1 to 3.6.0.

The kafka upgrade indirectly upgrades snappy-java from 1.1.8.4 to 1.1.10.4 fixing four denial of service (DoS) and out of memory (OOM) issues: https://security.snyk.io/package/maven/org.xerial.snappy:snappy-java

Upgrade hazelcast from 5.2.1 to 5.3.6 fixing Incorrect Permission Assignment for Critical Resource and Insufficiently Protected Credentials: https://nvd.nist.gov/vuln/detail/CVE-2023-33265 , https://nvd.nist.gov/vuln/detail/CVE-2023-33264



 Comments   
Comment by Julian Ladisch [ 23/Nov/23 ]

Pull request for code review: https://github.com/folio-org/mod-circulation-item/pull/11

Comment by Julian Ladisch [ 27/Nov/23 ]

The Volaris team needs to merge the pull request because I don't have write access for this repository.

Generated at Thu Feb 08 22:23:58 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.