Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-73365

Upgrade org.springframework:spring-web to version 6 on Jenkins Java 17 and Java 21

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Critical Critical
    • core
    • None
    • 2.464

      Hello There,

      I am seeing that when running a security scan on Jenkins I see the CVE-2016-1000027 being reported.

      I can understand that on JENKINS-71766 it says that you can not upgrade Spring until Jenkins supports Java 17.

      Seeing as the recent blog post that Jenkins now only supports Java 17 and Java 21 it should now be possible to upgrade Spring.

      https://www.jenkins.io/blog/2024/06/11/require-java-17/

      Will Spring Framework be upgraded to remove the CVE now that Jenkins runs on the supported version that has the fix.

      Since this is a 9.8 CVE we need an idea of when this can be fixed to pass our security scans.

          [JENKINS-73365] Upgrade org.springframework:spring-web to version 6 on Jenkins Java 17 and Java 21

          Basil Crow added a comment -

          Duplicates JENKINS-73255.

          Basil Crow added a comment - Duplicates JENKINS-73255 .

          Mark Waite added a comment -

          Please use the description of the situation from the GitHub comment in the Spring project to explain to your security scanning vendor why they should stop flagging that as a vulnerability. A subset of that explanation says:

          A variant of CVE-2011-2894 was submitted in 2016 by security researchers to a now disbanded CNA (CVE Numbering Authority). Years later, in 2020, this CVE was published by another CNA as a way to process all outstanding reports.

          This issue is another variant of "Java deserialization from untrusted sources". Doing so is exposing your application to remote code execution. This vulnerability is present at the JDK level as well, no Spring involved. This is why we've documented over the years, that developers should pay attention to that point. In this case, as opposed to 2011, the highest critical score is triggering all kind of automated rules...

          The full explanation including many interesting details are available in that issue report.

          Mark Waite added a comment - Please use the description of the situation from the GitHub comment in the Spring project to explain to your security scanning vendor why they should stop flagging that as a vulnerability. A subset of that explanation says: A variant of CVE-2011-2894 was submitted in 2016 by security researchers to a now disbanded CNA (CVE Numbering Authority). Years later, in 2020, this CVE was published by another CNA as a way to process all outstanding reports. This issue is another variant of "Java deserialization from untrusted sources". Doing so is exposing your application to remote code execution. This vulnerability is present at the JDK level as well, no Spring involved. This is why we've documented over the years, that developers should pay attention to that point. In this case, as opposed to 2011, the highest critical score is triggering all kind of automated rules... The full explanation including many interesting details are available in that issue report .

            Unassigned Unassigned
            tomdevops Tom Lorentsen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: