Skip to content

Vulnerability in spring 5.3.20

Saurabh Parkhi edited this page Jun 9, 2022 · 1 revision

Context:

We have recently noticed that the droid build started failing due to identification of vulnerabilities in spring. The NIST database was recently updated to mention that any spring version before 6.0.0 is susceptible to this vulnerability.

Symptom:

Build failures on the identification of vulnerability for the following reasons spring-core-5.3.20.jar: CVE-2016-1000027 spring-tx-5.3.20.jar: CVE-2016-1000027

Analysis:

This vulnerability has been identified long time back. A recent change (as seen here: https://nvd.nist.gov/vuln/detail/CVE-2016-1000027#VulnChangeHistorySection) in the nist database meant the database now sees v5.3.20 as vulnerable. Looking at the details related to the vulnerability identified (details here: https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker) we concluded that this won't affect droid directly. As there is no new version of spring available, we decided to introduce suppression of this check for a specific period of time.

Solution:

We introduced suppression against identification of this specific vulnerability, only in this veversion of spring until 1st October 2022. This gets the build succeeding and future development can continue