question CVE-2022-22970 and CVE-2022-22971 spring-core vulnerabilities in Support Questions https://community.cloudera.com/t5/Support-Questions/CVE-2022-22970-and-CVE-2022-22971-spring-core/m-p/356215#M237227 <P>Our vulnerability scanning found these two vulnerabilities on our CDP Private Cloud 7.1.7-SP1,&nbsp;CVE-2022-22970 and CVE-2022-22971.&nbsp; There are several versions of spring-core in the parcel, none of which are the recommended version:<BR /><BR />./jars/spring-core-4.3.29.RELEASE.jar<BR />./jars/spring-core-5.2.18.RELEASE.jar<BR />./jars/spring-core-5.3.10.jar<BR />./jars/spring-core-5.3.12.jar<BR />./jars/spring-core-5.3.13.jar<BR />./jars/spring-core-5.3.4.jar<BR /><BR />Is CDP vulnerable to these vulnerabilities?</P><P>&nbsp;</P><P><A href="https://tanzu.vmware.com/security/cve-2022-22970" target="_blank" rel="noopener">https://tanzu.vmware.com/security/cve-2022-22970</A></P><P><A href="https://tanzu.vmware.com/security/cve-2022-22971" target="_blank" rel="noopener">https://tanzu.vmware.com/security/cve-2022-22971</A></P><P>&nbsp;</P> Wed, 26 Oct 2022 14:51:33 GMT loubershad 2022-10-26T14:51:33Z CVE-2022-22970 and CVE-2022-22971 spring-core vulnerabilities https://community.cloudera.com/t5/Support-Questions/CVE-2022-22970-and-CVE-2022-22971-spring-core/m-p/356215#M237227 <P>Our vulnerability scanning found these two vulnerabilities on our CDP Private Cloud 7.1.7-SP1,&nbsp;CVE-2022-22970 and CVE-2022-22971.&nbsp; There are several versions of spring-core in the parcel, none of which are the recommended version:<BR /><BR />./jars/spring-core-4.3.29.RELEASE.jar<BR />./jars/spring-core-5.2.18.RELEASE.jar<BR />./jars/spring-core-5.3.10.jar<BR />./jars/spring-core-5.3.12.jar<BR />./jars/spring-core-5.3.13.jar<BR />./jars/spring-core-5.3.4.jar<BR /><BR />Is CDP vulnerable to these vulnerabilities?</P><P>&nbsp;</P><P><A href="https://tanzu.vmware.com/security/cve-2022-22970" target="_blank" rel="noopener">https://tanzu.vmware.com/security/cve-2022-22970</A></P><P><A href="https://tanzu.vmware.com/security/cve-2022-22971" target="_blank" rel="noopener">https://tanzu.vmware.com/security/cve-2022-22971</A></P><P>&nbsp;</P> Wed, 26 Oct 2022 14:51:33 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-22970-and-CVE-2022-22971-spring-core/m-p/356215#M237227 loubershad 2022-10-26T14:51:33Z Re: CVE-2022-22970 and CVE-2022-22971 spring-core vulnerabilities https://community.cloudera.com/t5/Support-Questions/CVE-2022-22970-and-CVE-2022-22971-spring-core/m-p/356236#M237235 <P>Hello&nbsp;<a href="https://community.cloudera.com/t5/user/viewprofilepage/user-id/8264">@loubershad</a>,</P><P>&nbsp;</P><P>Current available GA versions of CDP does not have the fix included for the mentioned CVE (<SPAN>CVE-2022-22970 and CVE-2022-22971)</SPAN></P><P>&nbsp;</P><P><SPAN>However, it is currently planned and should be available with&nbsp;upcoming release of CDP&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Thank you!</SPAN></P> Wed, 26 Oct 2022 17:09:36 GMT https://community.cloudera.com/t5/Support-Questions/CVE-2022-22970-and-CVE-2022-22971-spring-core/m-p/356236#M237235 pajoshi 2022-10-26T17:09:36Z