spring-bootspring-cloud-streamspring-cloud-functionspring-cloud-circuitbreaker

Is Spring Cloud Stream affected by CVE-2022-22963 (spring cloud function)


The CVE-2022-22963 - spring cloud function vulnerability was recently discovered and a simple fix was provided by the team here: cve-report-published-for-spring-cloud-function

We are getting spring-cloud-function-context:3.0.6 from spring-cloud-stream:3.0.4 by the following dependencies (our spring.boot.version is 2.2.6):

We are not using directly RoutingFunction, but afraid the libraries which brings spring-cloud-function-context/core via spring-cloud-stream, that I've mentioned above, might using RoutigFunction and exposes us to the vulnerability.

What is the preferred mitigation for us on this CVE?
Can we upgrade to spring-cloud-function version 3.1.7 without compatibility issues with our spring version?


Solution

  • First, spring-cloud-stream is not affected by the CVE you mention. It is only affecting spring-cloud-function if spring-cloud-function-web module is used.

    As for the issue you are describing in your last comment (NCDFE) this can only happen if you are using old and incompatible versions of Stream and Functions.

    So. . ., as Soby mentioned, 3.1 is EOL so you still have to upgrade.
    You can upgrade the standard spring-boot way by updating spring-cloud BOM

    <dependencyManagement>
            <dependencies>
                <dependency>
                    <groupId>org.springframework.cloud</groupId>
                    <artifactId>spring-cloud-dependencies</artifactId>
                    <version>2021.0.3</version>
                    <type>pom</type>
                    <scope>import</scope>
                </dependency>
            </dependencies>
        </dependencyManagement>
    

    Or you can manually change individual dependencies.