Does this CVE-2022-22950 affect to JBoss EAP ?

Solution Unverified - Updated -

Environment

  • Red Hat Single Sign-On (RH-SSO) 7.x

Issue

  • Does this CVE-2022-22950 affect to JBoss EAP ?
  • We got a security scanning report that Spring Beans 4.3.6 installed on
    Jboss and would like to know how we can remediate
    /jboss-eap-7.3/modules/org/springframework/spring-
    beans/main/spring-beans-4.3.6.RELEASE.jar
    is it safe to remove this file from JBOSS?

Resolution

  • As per the CVE database the CVE-2022-22950 does not affect to JBoss EAP, see the
    page here https://access.redhat.com/security/cve/cve-2022-22950

    Because the affected jar is Spring Beans, Spring Beans does not provided by Red Hat or the
    Red Hat Maven repository, it gets pulled in from Spring Framework.

  • As per Spring document updating it to 5.3.18 or 5.2.20
    will resolve the issue, you can add one of
    these dependencies in your pom.xml to update the spring-beans version:

      <dependency>
          <groupId>org.springframework</groupId>
          <artifactId>spring-beans</artifactId>
          <version>5.3.18</version>
       </dependency>

or

        <dependency>
             <groupId>org.springframework</groupId>
             <artifactId>spring-beans</artifactId>
             <version>5.2.20</version>
         </dependency>

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments