-
Bug
-
Resolution: Fixed
-
Minor
The Qualys Scanner finds an old version of Spring Core at /var/lib/jenkins/war/WEB-INF/lib/spring-core-5.3.11.jar and generates a medium finding on that.
Is it possible to upgrade this component to 5.3.20 or newer?
Thanks in advance!
- links to
[JENKINS-68854] Upgrade Spring core to 5.3.20 or newer
Eike Günther
added a comment - Added this as an lts-candidate, beacuse of these CVEs:
https://tanzu.vmware.com/security/cve-2022-22970
https://tanzu.vmware.com/security/cve-2022-22971
Eike Günther
added a comment - Added this as an lts-candidate, beacuse of these CVEs:
https://tanzu.vmware.com/security/cve-2022-22970
https://tanzu.vmware.com/security/cve-2022-22971
When I unpack the war file for Jenkins 2.346.2, it reports WEB-INF/lib/spring-core-5.3.19.jar, not WEB-INF/lib/spring-core-5.3.11.jar.
Jenkins 2.332.4 reports spring-core-5.3.14.jar, not WEB-INF/lib/spring-core-5.3.11.jar.
We could upgrade the version in 2.346.3 from 5.3.19 to 5.3.20 (or 5.3.21 as included in Jenkins 2.357 or 5.3.22 as included in Jenkins 2.360), but that may not help this user because they appear to be running an outdated Jenkins version. They appear to be running a Jenkins version that is affected by Jenkins security advisories yet are expressing concern for a dependency update. Wouldn't it be better for the user to update their Jenkins core to 2.332.4 or 2.346.2 so that they are not affected by the security advisory?
As far as I can tell from an initial reading of those two vulnerabilities, Jenkins is not likely to be affected by them. The upgrade would quiet the scanners, but not really increase the security of Jenkins. If they upgrade to a newer Jenkins version, that would actually improve the security of their Jenkins installation.
jasonmadam what version of Jenkins are you running? It may be that I've missed some way of checking for dependencies and the Qualysys scanner is finding something that I've missed.
When I created this issue, I was using the latest LTS version of Jenkins. I will check this again on my Jenkins instances tomorrow that are running LTS 2.346.2.
Eike Günther
added a comment - To clarify: I just added the "lts-candidate" tag, because I would like to have spring updated from 5.3.19 to 5.3.20 or newer in lts (in order to "quiet the scanners"). Maybe this should have been a separate issue.
Sorry for the confusion.
Eike Günther
added a comment - To clarify: I just added the "lts-candidate" tag, because I would like to have spring updated from 5.3.19 to 5.3.20 or newer in lts (in order to "quiet the scanners"). Maybe this should have been a separate issue.
Sorry for the confusion. My intention for this issue is exactly the same as Eikes reason: I wanted to quiet the scanner.
I have checked this again on two instances:
1) I checked this on an instance that we upgrade from LTS version to LTS version (Ubuntu 20.04 with apt installation as described in the Jenkins manuals). There was still the old spring-core-5.3.11.jar (at Path /var/lib/jenkins/war/WEB-INF/lib/spring-core-5.3.11.jar), but it seems to be unused. Additionally, there is the correct spring-core-5.3.19.jar (at /var/cache/jenkins/war/WEB-INF/lib/spring-core-5.3.19.jar).
2) I installed jenkins on a new instance and there I can only see spring-core-5.3.19.jar.
So i can confirm that the LTS version 2.346.2 uses Spring Core 5.3.19.
An upgrade in 2.346.3 from 5.3.19 to 5.3.20 would resolve this issue for our scanner.
Fixed in jenkinsci/jenkins#6565. Released in 2.348.