Does this CVE-2022-22950 affect to JBoss EAP ?
Environment
- Red Hat Single Sign-On (RH-SSO) 7.x
Issue
- Does this CVE-2022-22950 affect to JBoss EAP ?
- We got a security scanning report that Spring Beans 4.3.6 installed on
Jboss and would like to know how we can remediate
/jboss-eap-7.3/modules/org/springframework/spring-
beans/main/spring-beans-4.3.6.RELEASE.jar
is it safe to remove this file from JBOSS?
Resolution
-
As per the CVE database the CVE-2022-22950 does not affect to JBoss EAP, see the
page here https://access.redhat.com/security/cve/cve-2022-22950Because the affected jar is Spring Beans, Spring Beans does not provided by Red Hat or the
Red Hat Maven repository, it gets pulled in from Spring Framework. -
As per Spring document updating it to 5.3.18 or 5.2.20
will resolve the issue, you can add one of
these dependencies in your pom.xml to update the spring-beans version:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>5.3.18</version>
</dependency>
or
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-beans</artifactId>
<version>5.2.20</version>
</dependency>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments