Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conisder new CVE updates (cxf, jackson, snakeyaml, etc.) #585

Closed
hohwille opened this issue Jan 19, 2023 · 1 comment · Fixed by #586, #587 or #588
Closed

Conisder new CVE updates (cxf, jackson, snakeyaml, etc.) #585

hohwille opened this issue Jan 19, 2023 · 1 comment · Fixed by #586, #587 or #588
Labels
security
Milestone
release:2023.01.001

Comments

@hohwille
Copy link
Member

hohwille commented Jan 19, 2023
edited
Loading

In devon4j we need to do another update to close most recent CVEs:

  • snakeyaml: 1.30 has several CVEs and an update is required (1.33). However, no spring-boot 2.x release addresses this but (so far) only 3.0.1 - see also Release with latest major versions (spring-boot 3.0.0) #582
    UPDATE: Even after updating snakeyaml to the currently latest version 1.33 it still has a high vulnerability left: CVE-2022-1471 So nothing currently possible to close this one. Can only be addressed, once another version of snakeyaml comes out fixing it.
  • apache CXF has seen another set of CVEs that dont seem so critical but have been hyped by BSI. Here an update to 3.5.5 (or even 4.0.0) would resolve the CVEs.
  • update jackson to 2.14.1
  • also junit should be updated (CVE-2022-31514)
hohwille added a commit to hohwille/devon4j that referenced this issue Jan 19, 2023
@hohwille
devonfw#585: update apache cxf to 3.5.5
4618258
@hohwille hohwille mentioned this issue Jan 19, 2023
Merged
@hohwille
Copy link
Member Author

Another thing to consider is that our BOM imports the BOM of spring-cloud.
However, IMHO spring-cloud-dependencies should be questioned from security PoV:
https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-dependencies/

We introduced this for kafka. Our kafka module is more or less deprecated. Hence, we should consider getting rid of this large dependency-tree that can cause more harm than use.

hohwille added a commit that referenced this issue Jan 19, 2023
@hohwille
#585: update apache cxf to 3.5.5 (#586)
f66ace6
@hohwille hohwille linked a pull request Jan 19, 2023 that will close this issue
#585: update apache cxf to 3.5.5 #586
Merged
hohwille added a commit to hohwille/devon4j that referenced this issue Jan 19, 2023
@hohwille
devonfw#585: get rid of spring-cloud, disable kafka module, update sp…
4b57040 
…ring-boot to 2.7.7 and jackson to 2.14.1
@hohwille hohwille mentioned this issue Jan 19, 2023
Merged
@hohwille hohwille linked a pull request Jan 19, 2023 that will close this issue
#585: update spring-boot to 2.7.7, jackson to 2.14.1, get rid of spring-cloud-dependencies #587
Merged
@hohwille hohwille removed a link to a pull request Jan 19, 2023
#585: update spring-boot to 2.7.7, jackson to 2.14.1, get rid of spring-cloud-dependencies #587
Merged
hohwille added a commit that referenced this issue Jan 19, 2023
@hohwille
#585: get rid of spring-cloud, disable kafka module, update spring-bo…
3668d4f 
…ot to 2.7.7 and jackson to 2.14.1 (#587)
@hohwille hohwille linked a pull request Jan 19, 2023 that will close this issue
#585: update spring-boot to 2.7.7, jackson to 2.14.1, get rid of spring-cloud-dependencies #587
Merged
hohwille added a commit to hohwille/devon4j that referenced this issue Jan 19, 2023
@hohwille
devonfw#585: update snakeyaml from 1.30 to 1.33
82f3dba
@hohwille hohwille changed the title Conisder new CVE updates (cxf, snakeyaml, etc.) Conisder new CVE updates (cxf, jackson, snakeyaml, etc.) Jan 19, 2023
@hohwille hohwille added this to the release:2023.01.001 milestone Jan 19, 2023
@hohwille hohwille mentioned this issue Jan 19, 2023
Merged
@hohwille hohwille linked a pull request Jan 19, 2023 that will close this issue
#585: update snakeyaml from 1.30 to 1.33 #588
Merged
hohwille added a commit that referenced this issue Jan 19, 2023
@hohwille
#585: update snakeyaml from 1.30 to 1.33 (#588)
b4d08ce
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
release:2023.01.001
1 participant
@hohwille