Greenplum PXF - Workaround for handling Spring Framework Vulnerabilities for Tanzu Greenplum
search cancel

Greenplum PXF - Workaround for handling Spring Framework Vulnerabilities for Tanzu Greenplum

book

Article ID: 296758

calendar_today

Updated On:

Products

VMware Tanzu Greenplum

Issue/Introduction

Symptom:
Vulnerabilities reported against Spring Framework 5.3.0 - 5.3.17 when using JDK 9+ [1]

Context: 
PXF 6.0+ uses Springboot 2.4.3 which comes with Spring Framework 5.3.4
Users running PXF with JDK 11 may be vulnerable to CVE-2022-22965[2]


Environment

Product Version: 6.18

Resolution

Workaround:
Customers should use JRE 1.8 (Java 8) when running PXF 6.0+ until a version of PXF containing Spring Framework 5.3.18+ is released.

References:
1. Spring Framework RCE: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
2,  CVE-2022-22965: https://tanzu.vmware.com/security/cve-2022-22965  


Powered by Wolken Software