You are viewing a plain text version of this content. The canonical link for it is here.

Posted to fortress@directory.apache.org by Shawn McKinney <sm...@apache.org> on 2022/04/10 18:18:11 UTC

Apache Fortress is not affected by Spring4Shell (CVE-2022-22965)

TL;DR

Apache Fortress is not affected by the Spring Framework RCE via Data Binding on JDK 9+, a.k.a. Spring4Shell.

Longer version

We don't use Spring anywhere in the Core or Realm. Spring is used in Web and Rest, but only the spring-webmvc and spring-webflux[1] artifacts are affected and they aren't used anywhere in the fortress codeline.

—
Shawn

[1]https://tanzu.vmware.com/security/cve-2022-22965
---------------------------------------------------------------------
To unsubscribe, e-mail: fortress-unsubscribe@directory.apache.org
For additional commands, e-mail: fortress-help@directory.apache.org