Review and update spring cloud functions dependency for CVE #929

salaboy · 2022-03-31T14:27:40Z

Reference: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function

lance · 2022-04-01T17:48:58Z

The dependency that is used by the templates is spring-cloud-dependencies version 2021.0.1. This is an umbrella dependency that just pulls in a bunch of other dependencies. Reading this blog post about the issue, we are affected by “Information Exposure in Spring Cloud Function”, with a mitigation by a bump to spring-cloud-functions to 3.2.3 or higher. It appears to me that spring-cloud-dependencies has already made that bump based on my reading of this. https://mvnrepository.com/artifact/org.springframework.cloud/spring-cloud-dependencies/2021.0.1

If this is all true, then I think we are good and function users should not be affected. I would like for someone with more recent Java experience to validate these findings, however, as it’s been years and my Java fu is rusty.

Well, I just created a new springboot function project and when building it, the older 3.2.2 version of spring-cloud-functions was used. So, it seems that we need to explicitly include the fix version

Downloading from spring-releases: https://repo.spring.io/release/org/springframework/cloud/spring-cloud-function-dependencies/3.2.2/spring-cloud-function-dependencies-3.2.2.pom
Downloaded from spring-releases: https://repo.spring.io/release/org/springframework/cloud/spring-cloud-function-dependencies/3.2.2/spring-cloud-function-dependencies-3.2.2.

/cc @trisberg

This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: knative#929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com>

This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: #929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com>

This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: knative#929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com>

* fix: apply updated spring-boot-function dependency (#936) This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: #929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com> * deps: add updated pkged.go Signed-off-by: Lance Ball <lball@redhat.com>

This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: knative#929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com>

* fix: apply updated spring-boot-function dependency (#936) This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: knative#929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com> * deps: add updated pkged.go Signed-off-by: Lance Ball <lball@redhat.com> * deps: add updated pkged.go Signed-off-by: Lance Ball <lball@redhat.com>

This commit updates the spring-boot-function dependency explicitly as there is not yet a CVE fix for spring-cloud 2021.0.1. ``` ❯ ./mvnw clean install dependency:tree | grep spring-cloud-function [INFO] | +- org.springframework.cloud:spring-cloud-function-web:jar:3.2.2:compile [INFO] +- org.springframework.cloud:spring-cloud-function-context:jar:3.2.3:compile (optional) [INFO] | +- org.springframework.cloud:spring-cloud-function-core:jar:3.2.2:compile (optional) ``` Fixes: knative#929 Fixes: https://spring.io/blog/2022/03/29/cve-report-published-for-spring-cloud-function Signed-off-by: Lance Ball <lball@redhat.com>

salaboy self-assigned this Mar 31, 2022

lance added this to Func Roadmap Mar 31, 2022

lance moved this to Icebox (backlog and controversial items) in Func Roadmap Mar 31, 2022

lance self-assigned this Apr 1, 2022

lance mentioned this issue Apr 1, 2022

fix: apply updated spring-boot-function dependency #936

Merged

knative-prow bot closed this as completed in #936 Apr 4, 2022

Repository owner moved this from Icebox (backlog and controversial items) to In Design (typically large tasks with a feature track) in Func Roadmap Apr 4, 2022

lance moved this from In Design (typically large tasks with a feature track) to Done in Func Roadmap Apr 5, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Review and update spring cloud functions dependency for CVE #929

Review and update spring cloud functions dependency for CVE #929

salaboy commented Mar 31, 2022

lance commented Apr 1, 2022 •

edited

Loading

Review and update spring cloud functions dependency for CVE #929

Review and update spring cloud functions dependency for CVE #929

Comments

salaboy commented Mar 31, 2022

lance commented Apr 1, 2022 • edited Loading

lance commented Apr 1, 2022 •

edited

Loading