Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-9852

Upgrade Spring Framework to 5.3.18

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    Description

      Spring Framework 5.3.18 corrects several issues, including CVE-2022-22965. Spring Boot for NiFi Registry should also be upgraded to 2.6.6.

      The Spring Framework announcement lists the criteria for exploiting the vulnerability. Based on the current summary, NiFi and NiFi Registry do not appear to be impacted as both applications use Jetty instead of Apache Tomcat, and use JAX-RS with Jersey instead of Spring WebMVC or Spring Webflux for defining REST resources.

      Upgrading these dependencies mitigates potential issues.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            exceptionfactory David Handermann
            exceptionfactory David Handermann
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 20m
                1h 20m

                Slack

                  Issue deployment