You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Robert Lazarski (Jira)" <ji...@apache.org> on 2022/04/07 15:09:00 UTC
[jira] [Commented] (AXIS2-6032) About Spring RCE 0Days Vulnerability
[ https://issues.apache.org/jira/browse/AXIS2-6032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518943#comment-17518943 ]
Robert Lazarski commented on AXIS2-6032:
----------------------------------------
Don't think so.
The CVE says "A Spring MVC or Spring WebFlux application" . Axis2 is neither. We only include spring-aop , spring-expression, and spring-jcl - not spring-core nor spring-mvc etc.
We expect an Axis2 release in a week or two - just waiting on a Apache Axiom release. It'll include the latest spring jars that we distribute.
Going to close the issue, though thanks for bringing it to our attention for review.
In general, keep in mind that our lib deps on any project almost always merely uses core functionality so you can almost always just drop in lib updates or put them in you pom.xml etc - don't wait on us as these CVE's occur fast and sometimes have multiple releases.
> About Spring RCE 0Days Vulnerability
> ------------------------------------
>
> Key: AXIS2-6032
> URL: https://issues.apache.org/jira/browse/AXIS2-6032
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 1.7.9, 1.8.0
> Reporter: yanglin
> Priority: Critical
>
> Hello !
> Is AXIS2 affected by spring rce vulnerability?
> if so , will a new version be released ?
>
> CVE-2022-22965: A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding
> https://nvd.nist.gov/vuln/detail/CVE-2022-22965
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org