Updating to latest stable version (in this case 3.0) is probably the best idea in the long run.
However, updating the major version (2.3.x -> 3.0) might be more complicated and require more work than updating to latest minor version (2.3.x -> 2.7.x). If you don't have a lot of time for this and some older version already have fixes included for those vulnerabilities it might be a viable option too. It's also possible that you have some dependencies that are not compatible with newest Spring Boot yet. But again, I believe that going for latest version is best if possible.
Spring boot parent should already contain all needed spring components versions. For example Spring Boot 2.7.3 uses spring-core:5.3.22 and you don't need to define it explicitly yourself.
Answer from Pekinek on Stack Overflowspring - Fixing Open source Vulnerabilities in Java - Stack Overflow
How do you fix OS, Java vulnerabilities continuously when shipping Dockerized applications?
If you constantly have CVE to fix you can consider different options :
-
mitigate the CVE, not every CVE need to be fixed if countermeasures exists.
-
reduce your surface attack, maybe your dev are too permissive with services that's are not needed
-
be more proactive, it ask less efforts by testing everything yourself before shipping. I understand you already do that but if the language/library you use are constantly source of exploit and if security is business critical then switching to another language might be the most viable solution
-
Split your development in modules so you can reduce the blast radius of a CVE on a module to an another one.
Good luck
Edit : not sure if I made myself understood English is not my everyday language
More on reddit.comSpring4Shell Detection: New Java Vulnerability Follows in the Footsteps of Notorious Log4j
This is a much smaller footprint then log4j... Well so far. You have to have the request posted converted into a bean, with the webapplicationclass loader.
Take it any of those Tomcat with web app cl Bean conversion of requests Java 9+ And it no longer occurs.
Even better per my testing spring security prevents this too well without authentication or custom auth beans.
Don't get me wrong this is a hell of a nice find, and will cause some headaches, but not quite the scale of log4j. Well so far.
More on reddit.comSpring4Shell: Security Analysis of the latest Java RCE '0-day' vulnerabilities
We've been able to reproduce this but the conditions required are very specific and unusual so we had to really misconfigure the product to reproduce the exploit. So far, it doesn't seem to work at all with JDK 8 which is all we use. I feel like some of these research bloggers are trying to blow this up because they want to break the next log4j disaster but... this isn't even close. The RCE itself could be bad but the possibility of exploiting this in the wild with all of the stars aligning just right... very slim. Big reason why we still haven't seen anyone do it yet.
More on reddit.comVideos
Updating to latest stable version (in this case 3.0) is probably the best idea in the long run.
However, updating the major version (2.3.x -> 3.0) might be more complicated and require more work than updating to latest minor version (2.3.x -> 2.7.x). If you don't have a lot of time for this and some older version already have fixes included for those vulnerabilities it might be a viable option too. It's also possible that you have some dependencies that are not compatible with newest Spring Boot yet. But again, I believe that going for latest version is best if possible.
Spring boot parent should already contain all needed spring components versions. For example Spring Boot 2.7.3 uses spring-core:5.3.22 and you don't need to define it explicitly yourself.
Is there any guiding principle based on which we need to select the version of spring boot.
Generally you would select the Spring Boot version which has got the vulnerability fixed as your objective is related to security. Many times you are so behind that Spring may not provide security patches release for that minor version line that you will need to upgrade to major version but this requires lots of testing as there may be breaking changes as far as functionality is concerned. Also worth referring is CVE vulnerability database for any specific vulnerability coming from transitive dependencies. You can search for a library name ( for e.g., log4j or jackson ) to check what vulnerability is there and if it has been patched in any version.
I need to be studying for my CISSP but all my time is being consumed by this. Please let me know if there are any other subreddits I should be asking this question on. Here is the explanation, any help would be great.
My company (10 workers) ships our Java based web service product packaged as docker containers. We try our best to fix vulnerabilities in base OS image, then our JDK jars etc. However since new vulnerabilities are constantly discovered, our customers keep scanning the container images we provide and ask us to fix a large list of CVEs.
A Java library related CVE that may not have been there three months ago when we shipped, can now be used as an excuse by the client to force to us to invest significant amount of time in redevelopment, regression testing and shipping a new version, which again will have vulnerabilities with a week of us releasing it.
How do people usually deal with this? The volume of vulnerabilities is insane and there is no possible way we can fix it all. We fear we will go out of business. How do we approach this?
If you constantly have CVE to fix you can consider different options :
-
mitigate the CVE, not every CVE need to be fixed if countermeasures exists.
-
reduce your surface attack, maybe your dev are too permissive with services that's are not needed
-
be more proactive, it ask less efforts by testing everything yourself before shipping. I understand you already do that but if the language/library you use are constantly source of exploit and if security is business critical then switching to another language might be the most viable solution
-
Split your development in modules so you can reduce the blast radius of a CVE on a module to an another one.
Good luck
Edit : not sure if I made myself understood English is not my everyday language
I don't have an easy fix or a quick one, but, it sounds like you guys need to move to a CI/CD pipeline. You can automate it to the point where it's pulling updates for you, regression testing, VA scanning and making the container available for client download after sign off. I use GitLab as my personal development svn and my stuff is nowhere near that mature. Heck it's really just a personal git VM with big aspirations at this point but I see the functionality available in the UI. It might be worth a look if you guys haven't already looked at doing something like that.