You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Shubhangi Raut (Jira)" <ji...@apache.org> on 2022/05/26 08:08:00 UTC

[jira] [Created] (AMQ-8612) Upgrade spring version to 5.3.20

Shubhangi Raut created AMQ-8612:
-----------------------------------

             Summary: Upgrade spring version to 5.3.20
                 Key: AMQ-8612
                 URL: https://issues.apache.org/jira/browse/AMQ-8612
             Project: ActiveMQ
          Issue Type: Dependency upgrade
    Affects Versions: 5.17.1
            Reporter: Shubhangi Raut
             Fix For: 5.18.0


*Description :*
*Severity :* CVE CVSS 3: 7.5Sonatype CVSS 3: 5.3

*Weakness :* CVE CWE: 770

*Source :* National Vulnerability Database

*Categories :* Data

*Description from CVE :* In spring framework versions *prior to 5.3.20* and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

*Explanation :* The spring-beans package is vulnerable to Allocation of Resources Without Limits or Throttling. The constructor method in the CachedIntrospectionResults class was disallowed from loading all ClassLoaders in an attempt to avoid exposing dangerous classes that could lead to Remote Code Execution vulnerabilities. This change caused the application server to eventually crash in applications handling file uploads where MulipartFile and javax.servlet.Part types are used in data binding. An attacker may craft malicious file upload requests to Spring WebFlux or Spring MVC applications and cause a Denial of Service [DoS] condition to servers that are affected by this issue.
The Sonatype security research team discovered that the root cause of the vulnerability is in spring-beans, not directly in spring-mvc and spring-webflux as the advisory states, and was introduced via a regression following a fix for CVE-2022-22965 [SpringShell] in versions 5.2.20.RELEASE for the 5.2.x branch, and 5.3.18 in the 5.3.x branch.

*Detection :* The application is vulnerable by using this component.

*Recommendation :* We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

*CVE :* CVE-2022-22970

*URL :* [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22970]

Please upgrade the spring-version to latest available 5.3.20.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)