Stream: hapi
Topic: Spring CVEs / Vulnerabilities
James Agnew (Apr 01 2022 at 18:39):
Hi All,
(Thanks @Keith Boone for reminding me I should post this here)
Regarding the 3 recently posted Spring CVEs:
We published a blog post yesterday on Spring4Shell: https://www.smilecdr.com/our-blog/spring4shell-vulnerability-cve-2022-22965
Our take is that we strongly believe we are not vulnerable, as no parts of our codebase call/use the affected code path (specifically the native Spring model deserialization). That said, we do pull in the vulnerable library version so we're recommending people upgrade right away to be safe. HAPI FHIR users can just bump the spring dependencies up manually in their local project POM, so that's easy.
CVE-2022-22963 is not a concern as we do not use Spring Cloud Function.
CVE-2022-22950 is not a concern as we do not evaluate user supplied SpEL anywhere in the library.
Last updated: Apr 12 2022 at 19:14 UTC
