Connect & CVE-2022-22965

Dear OL Team,

The security scans at a customer site have found vulnerable components for CVE-2022-22965 in the Connect installation
→ C:\Program Files\Objectif Lune\OL Connect\plugins\org.springframework.spring-beans_5.2.1.RELEASE.jar (org/springframework/beans/CachedIntrospectionResults.class) ←

I know that the attack vector requires tomcat to be involved, which is not the case here, but it would be great if the spring libs get upgraded to a non-vulnerable version in the next release.

Best regards

We are looking at our options as we speak. The 2022.1 version was pretty much ready to go into Release Cycle, we’ll have to see how changing things at this stage would impact the release.

In the meantime we have published an official statement earlier today about the vulnerability: Statement on Spring MVC/WebFlux vulnerability (CVE-2022-22965) - OL® Learn - Security (objectiflune.com)

Thank you, Phil!

Maybe I should have checked the blog before posting :wink:

best regards