You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@impala.apache.org by "Wenzhe Zhou (Jira)" <ji...@apache.org> on 2022/10/05 19:52:00 UTC

[jira] [Resolved] (IMPALA-11639) Upgrade Spring Framework to 5.3.20 due to multiple CVEs

     [ https://issues.apache.org/jira/browse/IMPALA-11639?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Wenzhe Zhou resolved IMPALA-11639.
----------------------------------
    Target Version: Impala 4.2.0
        Resolution: Fixed

> Upgrade Spring Framework to 5.3.20 due to multiple CVEs
> -------------------------------------------------------
>
>                 Key: IMPALA-11639
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11639
>             Project: IMPALA
>          Issue Type: Task
>          Components: Frontend
>    Affects Versions: Impala 4.1.0
>            Reporter: Wenzhe Zhou
>            Assignee: Wenzhe Zhou
>            Priority: Major
>             Fix For: Impala 4.2.0
>
>
> The following are the known CVEs in spring-core 5.3.18 (ref https://mvnrepository.com/artifact/org.springframework/spring-core)
> CVE-2022-22971 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, application with a STOMP over WebSocket endpoint is vulnerable to a denial of service attack by an authenticated user.
> CVE-2022-22968 - In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
> CVE-2022-22970 - In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
> Recommendation :
> Upgrade to the latest non-vulnerable version
> https://mvnrepository.com/artifact/org.springframework/spring-core



--
This message was sent by Atlassian Jira
(v8.20.10#820010)