Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-79940

Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

XMLWordPrintable

      Issue Summary

      spring-beans is vulnerable to CVE-2022-22970

      This is reproducible on Data Center: (yes)

      Steps to Reproduce

      1. Install Confluence 7.13.9
      2. Step 2

      Expected Results

      Expect that synchrony-proxy/WEB-INF/lib contains spring-beans-5.3.20.jar or higher

      Actual Results

      spring-beans-5.3.19.jar is present

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

          Form Name

            [CONFSERVER-79940] Synchrony Proxy: spring-beans 5.3.19 is vulnerable to CVE-2022-22970

            Rick Carini added a comment -

            Sweet! Thanks, richatkins

            Rick Carini added a comment - Sweet! Thanks, richatkins

            Richard Atkins added a comment -

            Hi 7675e03adf45 this was in fact backported to 7.13.12 and 7.19.3, but the fix versions were not updated. I've now fixed this.

            Regarding CVE-2022-22971, Snyk (https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823310) tells me that this only affects org.springframework:spring-messaging, which is not a dependency of Confluence. However we upgraded the Spring Framework to 5.3.21 for this issue, which would resolve the issue for all scanners.

            Richard Atkins added a comment - Hi 7675e03adf45 this was in fact backported to 7.13.12 and 7.19.3, but the fix versions were not updated. I've now fixed this. Regarding CVE-2022-22971, Snyk ( https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823310 ) tells me that this only affects org.springframework:spring-messaging, which is not a dependency of Confluence. However we upgraded the Spring Framework to 5.3.21 for this issue, which would resolve the issue for all scanners.

            Rick Carini added a comment -

            15ffccded09d - Is this being back ported to the LTS 7.13 branch since it was discovered there?

            Rick Carini added a comment - 15ffccded09d - Is this being back ported to the LTS 7.13 branch since it was discovered there?

            Rick Carini added a comment - - edited

            Hi jwhitehead@atlassian.com,

            Is this going to be ported back to the LTS release branches 7.13 and 7.19?
            You aren't mentioning the related, CVE-2022-22971. Does this fix CVE-2022-22971, also?

            Regards,
            Rick Carini

            Rick Carini added a comment - - edited Hi jwhitehead@atlassian.com , Is this going to be ported back to the LTS release branches 7.13 and 7.19? You aren't mentioning the related, CVE-2022-22971. Does this fix CVE-2022-22971, also? Regards, Rick Carini

            James Whitehead added a comment -

            A fix for this issue is available in Confluence Server and Data Center 8.0.0.
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            James Whitehead added a comment - A fix for this issue is available in Confluence Server and Data Center 8.0.0. Upgrade now or check out the Release Notes to see what other issues are resolved.

            Tanya Thorpe added a comment -

            Hello ,

            What's the status of spring framework 5.3.20 availability?

            Tanya Thorpe added a comment - Hello , What's the status of spring framework 5.3.20 availability?

            Juan Pablo Hernandez added a comment -

            Hello Team,

             

            I could see the fix is waiting for release; do you have the date for the new release?

            Juan Pablo Hernandez added a comment - Hello Team,   I could see the fix is waiting for release; do you have the date for the new release?

            Juan Pablo Hernandez added a comment -

            Hello ,

            Confluence has the spring framework 5.3.19 and this spring framework version has the vulnerabilities cve-2022-22971 and cve-2022-22970, You can get more details :

            https://tanzu.vmware.com/security/cve-2022-22971
            https://tanzu.vmware.com/security/cve-2022-22970

             

            Juan Pablo Hernandez added a comment - Hello , Confluence has the spring framework 5.3.19 and this spring framework version has the vulnerabilities cve-2022-22971 and cve-2022-22970, You can get more details : https://tanzu.vmware.com/security/cve-2022-22971 https://tanzu.vmware.com/security/cve-2022-22970  

            Philipp Sadowski added a comment -

            Only 7.13.9 affected or <=7.13.9?

            Why this CVE is Type Bug?

            Philipp Sadowski added a comment - Only 7.13.9 affected or <=7.13.9? Why this CVE is Type Bug?

              15ffccded09d Relangi Satish (Inactive)
              richatkins Richard Atkins
              Affected customers:
              4 This affects my team
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: