Spring4shell Vulnerability.

[filipponova]

Description

Hi, guys.

Due to the spring4shell vulnerability CVE-2022-22965, we are updating the Spring Framework in our applications, after updating we noticed that some applications that use the Sentry Java SDK continued to point out the vulnerability, and upon investigating we realized that it is due to the Sentry SDK using a version of Spring Boot that is vulnerable to spring4shell.

We tried to find an SDK version that used some version of Spring Boot with the fix, but we couldn't find it.

We are using version 5.1.0 of Sentry Java SDK and our applications use Java 11 + Spring.

More Information:

https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Are there any plans to upgrade the Spring Framework version used by the SDK?

If there was any mistake on my part, I apologize in advance.

[maciejwalkowiak]

In a Spring Boot project, the actual version of Spring dependencies used depend on the Spring Boot version from a parent pom, (or dependencies management when you don't choose to use spring-boot-starter-parent as a parent pom).

Even though we list 2.4.4 in Sentry dependencies, when you use sentry-spring-boot-starter, Spring Boot is in control which version of Spring Framework is included - so there is nothing to worry about.

I understand concerns related to security tools reporting this issue, so we will bump Spring Boot version in our dependencies.

[maciejwalkowiak]

Fixed in #2011

[filipponova]

Thanks @maciejwalkowiak 🥇