Bump spring versions to mitigate CVE-2022-22965.

The update to trace-analytics-sample-app mitigates the CVE. Data-prepper-core is also updated, but this is not currently exploitable as this package does not meet the requirements https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-i-impacted. Signed-off-by: Marc Handalian <handalm@amazon.com>
opensearch-project · Apr 1, 2022 · 099ff4a · 099ff4a
1 parent 9f3e90d
commit 099ff4a
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/data-prepper-core/build.gradle b/data-prepper-core/build.gradle
@@ -30,13 +30,13 @@ dependencies {
     implementation 'org.apache.logging.log4j:log4j-core'
     implementation 'org.apache.logging.log4j:log4j-slf4j-impl'
     implementation 'javax.inject:javax.inject:1'
-    implementation('org.springframework:spring-core:5.3.16') {
+    implementation('org.springframework:spring-core:5.3.18') {
         exclude group: 'commons-logging', module: 'commons-logging'
     }
-    implementation('org.springframework:spring-context:5.3.16') {
+    implementation('org.springframework:spring-context:5.3.18') {
         exclude group: 'commons-logging', module: 'commons-logging'
     }
-    testImplementation 'org.springframework:spring-test:5.3.16'
+    testImplementation 'org.springframework:spring-test:5.3.18'
     testImplementation "org.hamcrest:hamcrest:2.2"
     testImplementation "org.mockito:mockito-inline:${versionMap.mockito}"
 }

diff --git a/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle b/examples/trace-analytics-sample-app/sample-app/analytics-service/build.gradle
@@ -5,7 +5,7 @@
 
 plugins {
     id 'java'
-    id 'org.springframework.boot' version '2.3.1.RELEASE'
+    id 'org.springframework.boot' version '2.6.6.RELEASE'
     id 'io.spring.dependency-management' version '1.0.9.RELEASE'
 }