<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:28:21 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3466] Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3466</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;Official announcement from spring.io: &lt;a href=&quot;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;There are three recent issues in Spring Framework:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-22963&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-22963&lt;/a&gt; (less severe) - Remote Code Execution (RCE) in Spring Cloud Function&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-22950&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-22950&lt;/a&gt; (medium-severe) - Denial of Service (DoS) in Spring Expression (SpEL)&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2022-22965&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2022-22965&lt;/a&gt; (critical) - &quot;Spring4Shell&quot; or Remote Code Execution (RCE) in Spring Core&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;This Jira is about the last one only. (The others may also be fixed by updating to a fixed version.)&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;Fix&quot;&gt;&lt;/a&gt;Fix&lt;/h2&gt;

&lt;p&gt;42 FOLIO platform-complete modules use a vulnerable spring version.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/platform-complete/actions/workflows/spring-cve-2022-22965.yml&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/actions/workflows/spring-cve-2022-22965.yml&lt;/a&gt; automatically maintains a list of all FOLIO back-end modules showing their Spring4Shell status for &lt;del&gt;Kiwi (R3 2021)&lt;/del&gt;, Lotus (R1 2022), Morning Glory (R2 2022) and Nolana (R3 2022). The list is in &quot;Run cat result.txt&quot;.&lt;/p&gt;

&lt;p&gt;Patches are available:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Spring Framework 5.3.18 and 5.2.20&lt;/li&gt;
	&lt;li&gt;Spring Boot 2.6.6 and 2.5.12&lt;/li&gt;
	&lt;li&gt;Grails Core 5.1.6&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;It is NOT recommended to only apply workarounds (like not using Tomcat/Payara/Glassfish).&lt;br/&gt;
Quote from &lt;a href=&quot;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&lt;/a&gt; :&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;The preferred response is to update to Spring Framework 5.3.18 and 5.2.20 or greater.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Quote from &lt;a href=&quot;https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751&lt;/a&gt; :&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;we also recommend upgrading all vulnerable versions to the fixed spring-beans version regardless of the application configuration.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;After applying the patch run&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
mvn dependency:tree -Dincludes=org.springframework:spring-beans
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;or&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
grails dependency-report runtime | grep spring-beans
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;and check that spring-beans version is &amp;gt;= 5.3.18 or &amp;gt;= 5.2.20.&lt;/p&gt;

&lt;p&gt;Apply the patch on the default branch (main/master), the R2 2022 Morning Glory branch (if exists), and on the Lotus (R1 2022) branch, and release a patch version for Lotus.&lt;/p&gt;

&lt;p&gt;We don&apos;t need any Kiwi back-port because there are no plans for a Kiwi hot fix #3.&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;Vulnerability&quot;&gt;&lt;/a&gt;Vulnerability&lt;/h2&gt;

&lt;p&gt;Explanation from &lt;a href=&quot;https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;snyk&lt;/a&gt;:&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;The BeanFactory interface provides an advanced configuration mechanism capable of managing any type of object.&lt;br/&gt;
Affected versions of this package are vulnerable to Remote Code Execution via manipulation of &lt;tt&gt;ClassLoader&lt;/tt&gt; that is achievable with a POST HTTP request. This could allow an attacker to execute a webshell on a victim&apos;s application.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;The vulnerability is in the spring-beans library of Spring Core in CachedIntrospectionResults.java. See the fix:&lt;br/&gt;
&lt;a href=&quot;https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/spring-projects/spring-framework/commit/002546b3e4b8d791ea6acccb81eb3168f51abb15&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/spring-projects/spring-framework/commit/996f701a1916d10202c1d0d281f06ab1f2e1117e&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/spring-projects/spring-framework/commit/996f701a1916d10202c1d0d281f06ab1f2e1117e&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;For details see&lt;br/&gt;
&lt;a href=&quot;https://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.cyberkendra.com/2022/03/spring4shell-details-and-exploit-code.html&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://www.cyberkendra.com/2022/03/springshell-rce-0-day-vulnerability.html&lt;/a&gt;&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;Exploit&quot;&gt;&lt;/a&gt;Exploit&lt;/h2&gt;

&lt;p&gt;Quote from &lt;a href=&quot;https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751&lt;/a&gt; :&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;Note:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;Current public exploits require victim applications to be built with JRE version 9 (or above) and to be deployed on either Tomcat, Payara, or Glassfish.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul&gt;
	&lt;li&gt;However, we have confirmed that it is technically possible for additional exploits to work under additional application configurations as well.&lt;/li&gt;
&lt;/ul&gt;


&lt;ul&gt;
	&lt;li&gt;As such, while we recommend users prioritize first remediating against the configuration described above, for full protection, we also recommend upgrading all vulnerable versions to the fixed &lt;tt&gt;spring-beans&lt;/tt&gt; version regardless of the application configuration.&lt;/li&gt;
&lt;/ul&gt;
&lt;/blockquote&gt;
&lt;p&gt;Quote from &lt;a href=&quot;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement&lt;/a&gt; :&lt;/p&gt;
&lt;blockquote&gt;&lt;p&gt;However, the nature of the vulnerability is more general, and there may be other ways to exploit it.&lt;/p&gt;&lt;/blockquote&gt;
&lt;p&gt;Requirements to exploit the vulnerability:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;JDK9 and above (FOLIO uses JDK11)&lt;/li&gt;
	&lt;li&gt;Using the Spring-beans package&lt;/li&gt;
	&lt;li&gt;Spring parameter binding is used&lt;/li&gt;
	&lt;li&gt;Spring parameter binding uses non-basic parameter types, such as general POJOs&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;There can be multiple ways to exploit the vulnerability.&lt;/p&gt;

&lt;p&gt;The easiest way to exploit the vulnerability is attacking an installation that runs on an external Tomcat (Apache Tomcat as the Servlet container). This is how the first known and published exploit works. There are reports about ongoing attacks.&lt;/p&gt;

&lt;p&gt;FOLIO modules don&apos;t use an external Tomcat. Some use spring-boot-starter-tomcat, the embedded Tomcat, that cannot been attacked by the published exploit.&lt;/p&gt;

&lt;p&gt;FOLIO modules don&apos;t use Payara or Glassfish for which public exploits have been published.&lt;/p&gt;

&lt;p&gt;Other exploits are possible but not publicly known and not published.&lt;/p&gt;
&lt;h2&gt;&lt;a name=&quot;Threat&quot;&gt;&lt;/a&gt;Threat&lt;/h2&gt;

&lt;p&gt;As Spring Framework is one of the most popular frameworks for Java and for the Java virtual machine (JVM) it is likely that other exploits get developed that affect FOLIO modules - the risk becomes greater over time.&lt;/p&gt;

&lt;p&gt;Therefore the patches should be applied to mitigate this risk.&lt;/p&gt;

&lt;p&gt;Priority for edge modules is P2 because they are not behind Okapi but directly exposed to the internet. Priority for other modules is P3 for Lotus and P2 for Morning Glory and Nolana. Priority to be re-assessed if new findings are made.&lt;/p&gt;</description>
                <environment></environment>
        <key id="82278">FOLIO-3466</key>
            <summary>Spring4Shell: spring-beans RCE Vulnerability (CVE-2022-22965)</summary>
                <type id="10006" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium">Umbrella</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d">Jakub Skoczen</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Wed, 30 Mar 2022 06:23:38 +0000</created>
                <updated>Thu, 19 Jan 2023 16:20:07 +0000</updated>
                            <resolved>Thu, 19 Jan 2023 16:20:07 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                                <comments>
                                                            <comment id="197673" author="5cf6c546b87c300f36eb7b9a" created="Thu, 31 Mar 2022 15:14:33 +0000"  >&lt;p&gt;The security team has reviewed this.&#160; We don&apos;t think there&apos;s a reproducer for FOLIO Modules at this time since we&apos;re not using external Tomcat.&#160; However, there may be additional/related attack vectors that would affect FOLIO.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;&#160;is working on identifying the modules which may be affected (that use a vulnerable version of spring)&lt;/p&gt;</comment>
                                                            <comment id="197678" author="5ee89462f7aa140abd82d11d" created="Thu, 31 Mar 2022 21:40:25 +0000"  >&lt;p&gt;platform-complete, master branch (= Lotus R1 2022)&lt;br/&gt;
list spring-beans usage, mark &amp;lt;5.3.18 or &amp;lt;5.2.20.RELEASE as vuln&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
vuln 5.3.14         edge-caiasoft:1.2.0
  ok                edge-connexion:1.0.5
vuln 5.3.14         edge-dematic:1.5.0
vuln 5.2.9.RELEASE  edge-inn-reach:1.0.3
  ok                edge-ncip:1.7.0
  ok                edge-oai-pmh:2.4.2
  ok                edge-orders:2.5.0
  ok                edge-patron:4.8.0
  ok                edge-rtac:2.4.0
  ok                edge-sip2:2.2.0
vuln 5.1.16.RELEASE mod-agreements:5.1.1
vuln 5.2.8.RELEASE  mod-audit:2.3.0
  ok                mod-authtoken:2.9.1
  ok                mod-calendar:1.14.0
vuln 5.2.18.RELEASE mod-circulation-storage:14.0.0
vuln 5.2.7.RELEASE  mod-circulation:23.0.1
vuln 5.2.8.RELEASE  mod-codex-ekb:1.9.1
  ok                mod-codex-inventory:2.2.0
  ok                mod-codex-mux:2.11.1
  ok                mod-configuration:5.7.6
  ok                mod-copycat:1.2.1
  ok                mod-courses:1.4.3
  ok                mod-data-export-spring:1.3.0
vuln 5.3.14         mod-data-export-worker:1.3.1
vuln 5.1.1.RELEASE  mod-data-export:4.4.0
vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-converter-storage:1.13.2
vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:2.4.1
vuln 5.2.15.RELEASE mod-ebsconet:1.2.0
  ok                mod-email:1.13.0
vuln 3.0.6.RELEASE  mod-erm-usage-harvester:4.0.0
vuln 3.0.6.RELEASE  mod-erm-usage:4.3.0
  ok                mod-eusage-reports:1.1.1
  ok                mod-event-config:2.2.0
vuln 5.2.8.RELEASE  mod-feesfines:17.1.0
vuln 5.2.8.RELEASE  mod-finance-storage:8.1.0
vuln 5.2.7.RELEASE  mod-finance:4.4.0
  ok                mod-gobi:2.3.0
  ok                mod-graphql:1.9.0
vuln 5.3.5          mod-inn-reach:1.0.2
  ok                mod-inventory-storage:23.0.2
  ok                mod-inventory-update:2.0.2
  ok                mod-inventory:18.1.3
vuln 5.2.6.RELEASE  mod-invoice-storage:5.3.0
vuln 5.2.6.RELEASE  mod-invoice:5.3.1
vuln 5.3.16         mod-kb-ebsco-java:3.10.1
vuln 5.2.7.RELEASE  mod-ldp:1.0.2
vuln 5.1.16.RELEASE mod-licenses:4.1.1
vuln 5.3.7          mod-login-saml:2.4.3
  ok                mod-login:7.6.0
vuln 2.5.6          mod-ncip:1.10.0
vuln 5.3.15         mod-notes:3.0.0
  ok                mod-notify:2.10.0
vuln 5.1.1.RELEASE  mod-oai-pmh:3.7.1
vuln 5.2.8.RELEASE  mod-orders-storage:13.2.1
vuln 5.2.11.RELEASE mod-orders:12.3.1
  ok                mod-organizations-storage:4.2.0
vuln 5.2.8.RELEASE  mod-organizations:1.4.0
vuln 5.3.15         mod-password-validator:2.3.0
vuln 5.2.8.RELEASE  mod-patron-blocks:1.5.0
  ok                mod-patron:5.2.1
  ok                mod-permissions:6.0.2
vuln 5.2.8.RELEASE  mod-pubsub:2.5.0
vuln 5.3.15         mod-quick-marc:2.3.2
vuln 5.3.14         mod-remote-storage:1.5.0
  ok                mod-rtac:3.2.0
vuln 5.3.14         mod-search:1.6.1
  ok                mod-sender:1.7.0
vuln 5.1.16.RELEASE mod-service-interaction:1.0.0
vuln 5.2.8.RELEASE  mod-source-record-manager:3.3.3
vuln 5.2.8.RELEASE  mod-source-record-storage:5.3.1
vuln 5.3.15         mod-tags:1.1.0
  ok                mod-template-engine:1.16.0
  ok                mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:3.6.4
  ok                mod-users-bl:7.2.1
vuln 5.2.8.RELEASE  mod-users:18.2.0
  ok                mod-z3950:2.4.0
  ok                okapi:4.13.1
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="197685" author="5ee89462f7aa140abd82d11d" created="Thu, 31 Mar 2022 21:42:23 +0000"  >&lt;p&gt;platform-complete, Kiwi R3 2022 branch&lt;br/&gt;
list spring-beans usage, mark &amp;lt;5.3.18 or &amp;lt;5.2.20.RELEASE as vuln&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
vuln 5.2.9.RELEASE  edge-caiasoft:1.1.2
  ok                edge-connexion:1.0.5
vuln 5.2.9.RELEASE  edge-dematic:1.3.2
vuln 5.2.9.RELEASE  edge-inn-reach:1.0.3
  ok                edge-ncip:1.6.2
  ok                edge-oai-pmh:2.4.2
  ok                edge-orders:2.4.2
  ok                edge-patron:4.6.2
  ok                edge-rtac:2.3.2
  ok                edge-sip2:2.1.4
vuln 5.1.16.RELEASE mod-agreements:5.0.7
vuln 5.2.8.RELEASE  mod-audit:2.2.2
  ok                mod-authtoken:2.9.1
  ok                mod-calendar:1.13.1
vuln 5.2.7.RELEASE  mod-circulation-storage:13.1.1
  ok                mod-circulation:22.1.4
vuln 5.2.8.RELEASE  mod-codex-ekb:1.9.1
  ok                mod-codex-inventory:2.1.1
  ok                mod-codex-mux:2.11.1
  ok                mod-configuration:5.7.6
  ok                mod-copycat:1.1.2
  ok                mod-courses:1.4.3
  ok                mod-data-export-spring:1.2.2
vuln 5.3.8          mod-data-export-worker:1.2.3
vuln 5.1.1.RELEASE  mod-data-export:4.2.4
vuln 5.2.6.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-converter-storage:1.12.1
vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:2.2.1
vuln 5.2.15.RELEASE mod-ebsconet:1.1.1
  ok                mod-email:1.12.1
vuln 3.0.6.RELEASE  mod-erm-usage-harvester:3.1.4
vuln 3.0.6.RELEASE  mod-erm-usage:4.2.1
  ok                mod-eusage-reports:1.0.5
  ok                mod-event-config:2.1.1
vuln 5.2.8.RELEASE  mod-feesfines:17.0.2
vuln 5.2.8.RELEASE  mod-finance-storage:8.0.3
vuln 5.2.7.RELEASE  mod-finance:4.3.3
  ok                mod-gobi:2.2.1
  ok                mod-graphql:1.9.0
vuln 5.3.5          mod-inn-reach:1.0.2
  ok                mod-inventory-storage:22.0.4
vuln 5.2.8.RELEASE  mod-inventory:18.0.7
vuln 5.2.6.RELEASE  mod-invoice-storage:5.2.1
vuln 5.2.6.RELEASE  mod-invoice:5.2.5
vuln 5.2.8.RELEASE  mod-kb-ebsco-java:3.9.1
vuln 5.2.7.RELEASE  mod-ldp:1.0.2
vuln 5.1.16.RELEASE mod-licenses:4.0.0
vuln 5.3.7          mod-login-saml:2.4.3
  ok                mod-login:7.5.1
vuln 2.5.6          mod-ncip:1.9.1
vuln 5.2.8.RELEASE  mod-notes:2.13.2
  ok                mod-notify:2.9.1
vuln 5.1.1.RELEASE  mod-oai-pmh:3.7.1
vuln 5.2.8.RELEASE  mod-orders-storage:13.1.3
vuln 5.2.11.RELEASE mod-orders:12.2.5
  ok                mod-organizations-storage:4.1.1
vuln 5.2.8.RELEASE  mod-organizations:1.3.1
vuln 5.2.9.RELEASE  mod-password-validator:2.2.3
vuln 5.2.8.RELEASE  mod-patron-blocks:1.4.1
  ok                mod-patron:5.0.3
  ok                mod-permissions:5.14.4
vuln 5.2.8.RELEASE  mod-pubsub:2.4.3
vuln 5.2.9.RELEASE  mod-quick-marc:2.2.4
vuln 5.3.8          mod-remote-storage:1.4.2
  ok                mod-rtac:3.1.1
  ok                mod-search:1.5.4
  ok                mod-sender:1.6.1
vuln 5.1.16.RELEASE mod-service-interaction:1.0.0
  ok                mod-source-record-manager:3.2.9
vuln 5.2.8.RELEASE  mod-source-record-storage:5.2.8
vuln 5.3.8          mod-tags:1.0.2
  ok                mod-template-engine:1.15.1
  ok                mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:3.6.4
  ok                mod-users-bl:7.1.1
vuln 5.2.8.RELEASE  mod-users:18.1.2
  ok                mod-z3950:2.4.0
  ok                okapi:4.11.1
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="197689" author="5cf6c546b87c300f36eb7b9a" created="Thu, 6 Oct 2022 15:34:57 +0000"  >&lt;p&gt;Looks like we still have ~10 or so vulnerable modules...&#160; master branch as of today&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
ok 5.3.20         edge-caiasoft:1.3.1
7  ok                edge-connexion:1.0.5
8  ok 5.3.20         edge-dematic:1.6.1
9  ok                edge-ncip:1.8.0
10  ok                edge-oai-pmh:2.5.1
11  ok                edge-orders:2.6.3
12  ok                edge-patron:4.9.3
13  ok                edge-rtac:2.5.2
14  ok                edge-sip2:2.2.0
15  ok 5.2.22.RELEASE mod-agreements:5.2.2
16  ok 5.3.19         mod-audit:2.5.0
17  ok                mod-authtoken:2.11.0
18  ok                mod-calendar:1.15.0
19  ok                mod-circulation-storage:14.1.0
20  ok                mod-circulation:23.1.5
21  ok 5.3.20         mod-codex-ekb:1.10.0
22  ok                mod-codex-inventory:2.3.0
23  ok                mod-codex-mux:2.12.0
24  ok                mod-configuration:5.8.0
25  ok                mod-copycat:1.3.0
26  ok                mod-courses:1.4.5
27  ok 5.3.20         mod-data-export-spring:1.4.5
28  ok 5.3.20         mod-data-export-worker:1.4.10
29  ok 5.3.20         mod-data-export:4.5.1
30vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-converter-storage:1.14.1
31vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:2.5.0
32  ok 5.3.20         mod-ebsconet:1.3.3
33  ok                mod-email:1.14.0
34  ok                mod-erm-usage-harvester:4.1.0
35  ok                mod-erm-usage:4.4.0
36  ok                mod-eusage-reports:1.2.1
37  ok                mod-event-config:2.3.0
38vuln 5.2.8.RELEASE  mod-feesfines:18.0.2
39  ok 5.3.20         mod-finance-storage:8.2.3
40  ok 5.3.20         mod-finance:4.5.2
41  ok                mod-gobi:2.4.3
42  ok                mod-graphql:1.10.2
43  ok                mod-inventory-storage:24.1.0
44  ok                mod-inventory-update:2.2.0
45  ok                mod-inventory:18.2.2
46  ok 5.3.20         mod-invoice-storage:5.4.0
47vuln 5.3.21         mod-invoice:5.4.1
48vuln 5.3.21         mod-kb-ebsco-java:3.11.1
49vuln 5.2.7.RELEASE  mod-ldp:1.0.6
50  ok 5.2.22.RELEASE mod-licenses:4.2.1
51vuln 5.3.21         mod-login-saml:2.4.9
52  ok                mod-login:7.7.0
53vuln 5.3.22         mod-ncip:1.11.1
54  ok 5.3.20         mod-notes:3.1.2
55  ok                mod-notify:2.11.0
56  ok 5.3.20         mod-oai-pmh:3.9.1
57  ok 5.3.20         mod-orders-storage:13.3.3
58  ok 5.3.20         mod-orders:12.4.3
59  ok                mod-organizations-storage:4.3.0
60  ok 5.3.20         mod-organizations:1.5.0
61  ok 5.3.20         mod-password-validator:2.4.0
62vuln 5.2.8.RELEASE  mod-patron-blocks:1.6.0
63  ok                mod-patron:5.3.0
64  ok                mod-permissions:6.1.0
65  ok 5.3.20         mod-pubsub:2.6.1
66  ok 5.3.20         mod-quick-marc:2.4.2
67  ok 5.3.20         mod-remote-storage:1.6.0
68  ok                mod-rtac:3.3.0
69  ok 5.3.19         mod-search:1.7.5
70  ok                mod-sender:1.8.0
71  ok 5.2.22.RELEASE mod-service-interaction:1.1.0
72vuln 5.2.8.RELEASE  mod-source-record-manager:3.4.5
73  ok 5.3.20         mod-source-record-storage:5.4.2
74  ok 5.3.20         mod-tags:1.2.0
75  ok                mod-template-engine:1.17.0
76  ok                mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:3.6.6
77  ok                mod-users-bl:7.3.0
78  ok 5.3.20         mod-users:18.3.1
79  ok                mod-z3950:2.4.0
80  ok                okapi:4.14.4&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="197697" author="5ee89462f7aa140abd82d11d" created="Thu, 1 Dec 2022 23:16:50 +0000"  >&lt;p&gt;For master branch of platform-complete (= Nolana) all has been fixed:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
Spring4Shell CVE-2022-22965 - list spring-beans existence, mark &amp;lt;5.3.18 or &amp;lt;5.2.20.RELEASE as vuln

  ok 5.3.22         edge-caiasoft:1.4.0
  ok                edge-connexion:1.0.5
  ok 5.3.22         edge-dematic:1.7.0
  ok                edge-ncip:1.8.1
  ok                edge-oai-pmh:2.5.1
  ok                edge-orders:2.7.0
  ok                edge-patron:4.10.0
  ok                edge-rtac:2.6.0
  ok                edge-sip2:2.4.0
  ok 5.2.22.RELEASE mod-agreements:5.4.2
  ok 5.3.19         mod-audit:2.6.0
  ok                mod-authtoken:2.12.0
  ok 5.3.23         mod-calendar:2.3.0
  ok                mod-circulation-storage:15.0.2
  ok                mod-circulation:23.3.0
  ok                mod-configuration:5.9.0
  ok                mod-copycat:1.3.1
  ok                mod-courses:1.4.6
  ok 5.3.22         mod-data-export-spring:1.5.2
  ok 5.3.22         mod-data-export-worker:2.0.3
  ok 5.3.20         mod-data-export:4.6.1
  ok 5.3.20         mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-converter-storage:1.15.2
vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:2.6.1
  ok 5.3.22         mod-ebsconet:1.4.0
  ok                mod-email:1.15.2
  ok                mod-erm-usage-harvester:4.2.0
  ok                mod-erm-usage:4.5.1
  ok                mod-eusage-reports:1.2.2
  ok                mod-event-config:2.4.0
  ok 5.3.20         mod-feesfines:18.1.1
  ok 5.3.20         mod-finance-storage:8.3.1
  ok 5.3.20         mod-finance:4.6.2
  ok                mod-gobi:2.5.1
  ok                mod-graphql:1.10.2
  ok                mod-inventory-storage:25.0.2
  ok                mod-inventory-update:2.3.1
  ok                mod-inventory:19.0.1
  ok 5.3.23         mod-invoice-storage:5.5.0
  ok 5.3.21         mod-invoice:5.5.0
  ok 5.3.23         mod-kb-ebsco-java:3.12.1
  ok 5.3.23         mod-ldp:1.0.7
  ok 5.2.22.RELEASE mod-licenses:4.2.1
  ok 5.3.22         mod-login-saml:2.5.0
  ok                mod-login:7.8.0
  ok 5.3.22         mod-ncip:1.12.1
  ok 5.3.23         mod-notes:4.0.0
  ok                mod-notify:2.12.0
  ok 5.3.20         mod-oai-pmh:3.10.0
  ok 5.3.20         mod-orders-storage:13.4.0
  ok 5.3.20         mod-orders:12.5.3
  ok                mod-organizations-storage:4.4.0
  ok 5.3.20         mod-organizations:1.6.0
  ok 5.3.23         mod-password-validator:2.5.0
  ok 5.3.20         mod-patron-blocks:1.7.1
  ok                mod-patron:5.4.0
  ok                mod-permissions:6.2.0
  ok 5.3.20         mod-pubsub:2.7.0
  ok 5.3.23         mod-quick-marc:2.5.0
  ok 5.3.22         mod-remote-storage:1.7.0
  ok                mod-rtac:3.4.0
  ok 5.3.23         mod-search:1.8.0
  ok                mod-sender:1.9.0
  ok 5.2.22.RELEASE mod-service-interaction:2.0.0
  ok 5.3.20         mod-source-record-manager:3.5.3
  ok 5.3.20         mod-source-record-storage:5.5.2
  ok 5.3.23         mod-tags:1.3.0
  ok                mod-template-engine:1.18.0
  ok                mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:3.7.0
  ok                mod-users-bl:7.4.0
  ok 5.3.20         mod-users:19.0.0
  ok                mod-z3950:2.4.0
  ok                okapi:4.14.8
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;
&lt;p&gt;Note that mod-data-import has an affected spring-beans 5.2.8.RELEASE dependency, however, mod-data-import doesn&apos;t use this dependency. The unused spring-beans dependency has been removed from mod-data-import master: &lt;a href=&quot;https://github.com/folio-org/mod-data-import/pull/232&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-data-import/pull/232&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="197704" author="5ee89462f7aa140abd82d11d" created="Thu, 1 Dec 2022 23:20:18 +0000"  >&lt;p&gt;For R2-2022 branch of platform-complete:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
Spring4Shell CVE-2022-22965 - list spring-beans existence, mark &amp;lt;5.3.18 or &amp;lt;5.2.20.RELEASE as vuln

  ok 5.3.20         edge-caiasoft:1.3.1
  ok                edge-connexion:1.0.5
  ok 5.3.20         edge-dematic:1.6.1
  ok                edge-ncip:1.8.1
  ok                edge-oai-pmh:2.5.1
  ok                edge-orders:2.6.3
  ok                edge-patron:4.9.3
  ok                edge-rtac:2.5.2
  ok                edge-sip2:2.2.0
  ok 5.2.22.RELEASE mod-agreements:5.2.2
  ok 5.3.19         mod-audit:2.5.0
  ok                mod-authtoken:2.11.1
  ok                mod-calendar:1.15.0
  ok                mod-circulation-storage:14.1.1
  ok                mod-circulation:23.1.5
  ok 5.3.20         mod-codex-ekb:1.10.0
  ok                mod-codex-inventory:2.3.0
  ok                mod-codex-mux:2.12.0
  ok                mod-configuration:5.8.0
  ok                mod-copycat:1.3.1
  ok                mod-courses:1.4.6
  ok 5.3.20         mod-data-export-spring:1.4.5
  ok 5.3.20         mod-data-export-worker:1.4.11
  ok 5.3.20         mod-data-export:4.5.2
vuln 5.2.8.RELEASE  mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-converter-storage:1.14.3
  ok 5.2.22.RELEASE mod-data-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:2.5.1
  ok 5.3.20         mod-ebsconet:1.3.3
  ok                mod-email:1.14.0
  ok                mod-erm-usage-harvester:4.1.0
  ok                mod-erm-usage:4.4.1
  ok                mod-eusage-reports:1.2.2
  ok                mod-event-config:2.3.0
  ok 5.2.22.RELEASE mod-feesfines:18.0.3
  ok 5.3.20         mod-finance-storage:8.2.3
  ok 5.3.20         mod-finance:4.5.3
  ok                mod-gobi:2.4.4
  ok                mod-graphql:1.10.2
  ok                mod-inventory-storage:24.1.0
  ok                mod-inventory-update:2.2.0
  ok                mod-inventory:18.2.2
  ok 5.3.20         mod-invoice-storage:5.4.1
  ok 5.3.21         mod-invoice:5.4.2
  ok 5.3.21         mod-kb-ebsco-java:3.11.2
  ok 5.3.23         mod-ldp:1.0.7
  ok 5.2.22.RELEASE mod-licenses:4.2.1
  ok 5.3.21         mod-login-saml:2.4.9
  ok                mod-login:7.7.0
  ok 5.3.22         mod-ncip:1.11.1
  ok 5.3.20         mod-notes:3.1.2
  ok                mod-notify:2.11.0
  ok 5.3.20         mod-oai-pmh:3.9.1
  ok 5.3.20         mod-orders-storage:13.3.4
  ok 5.3.20         mod-orders:12.4.4
  ok                mod-organizations-storage:4.3.0
  ok 5.3.20         mod-organizations:1.5.0
  ok 5.3.20         mod-password-validator:2.4.0
vuln 5.2.8.RELEASE  mod-patron-blocks:1.6.0
  ok                mod-patron:5.3.0
  ok                mod-permissions:6.1.0
  ok 5.3.20         mod-pubsub:2.6.1
  ok 5.3.20         mod-quick-marc:2.4.2
  ok 5.3.20         mod-remote-storage:1.6.0
  ok                mod-rtac:3.3.0
  ok 5.3.19         mod-search:1.7.6
  ok                mod-sender:1.8.0
  ok 5.2.22.RELEASE mod-service-interaction:1.1.0
vuln 5.2.8.RELEASE  mod-source-record-manager:3.4.5
  ok 5.3.20         mod-source-record-storage:5.4.2
  ok 5.3.20         mod-tags:1.2.0
  ok                mod-template-engine:1.17.0
  ok                mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;:3.6.6
  ok                mod-users-bl:7.3.0
  ok 5.3.20         mod-users:18.3.1
  ok                mod-z3950:3.0.1
  ok                okapi:4.14.7
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="197710" author="712020:d28f3303-d132-4a90-a1e4-02884a0fd949" created="Thu, 19 Jan 2023 16:20:07 +0000"  >&lt;p&gt;&#160;All occurences have been updated&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="39184">EDGINREACH-32</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="30119">CIRCSTORE-371</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39249">EDGCSOFT-35</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39220">EDGCSOFT-36</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="37994">EDGDEMATIC-63</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="37995">EDGDEMATIC-64</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39793">FDIS-17</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="64068">MDEXP-529</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="74619">MODAUD-119</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="62748">MODDATAIMP-730</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="62780">MODDATAIMP-732</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="68511">MODDICONV-260</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="68476">MODDICONV-279</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="74001">MODPATBLK-152</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="33166">MODPUBSUB-234</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="75916">MODPWD-93</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="58285">MODSOURMAN-889</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="58324">MODSOURMAN-923</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="43097">ERM-2082</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="43098">ERM-2083</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39796">FDIS-19</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="78036">MODCFIELDS-69</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="30935">MODEXPW-94</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="30936">MODEXPW-95</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39221">EDGCSOFT-37</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="39185">EDGINREACH-33</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="74621">MODAUD-118</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="73386">MODLOGSAML-135</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="33164">MODPUBSUB-233</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="30121">CIRCSTORE-373</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="30362">CIRCSTORE-383</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10115" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>CSP Approved</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10443"><![CDATA[Yes]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10181"><![CDATA[Spring Force]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10367"><![CDATA[TBD]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i04e76:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 31 Mar 2022 15:14:33 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>