[USN-7165-1] Spring Framework vulnerability

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Wed Dec 18 13:01:15 UTC 2024


==========================================================================
Ubuntu Security Notice USN-7165-1
December 17, 2024

libspring-java vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Spring Framework could be made to run programs or expose sensitive
information if it received specially crafted network traffic.

Software Description:
- libspring-java: Modular Java/J2EE application framework

Details:

It was discovered that the Spring Framework incorrectly handled web
requests via data binding. An attacker could possibly use this issue to
achieve remote code execution and obtain sensitive information.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.10
   libspring-aop-java              4.3.30-2ubuntu0.24.10.1
   libspring-beans-java            4.3.30-2ubuntu0.24.10.1
   libspring-context-java          4.3.30-2ubuntu0.24.10.1
   libspring-context-support-java  4.3.30-2ubuntu0.24.10.1
   libspring-core-java             4.3.30-2ubuntu0.24.10.1
   libspring-expression-java       4.3.30-2ubuntu0.24.10.1
   libspring-instrument-java       4.3.30-2ubuntu0.24.10.1
   libspring-jdbc-java             4.3.30-2ubuntu0.24.10.1
   libspring-jms-java              4.3.30-2ubuntu0.24.10.1
   libspring-messaging-java        4.3.30-2ubuntu0.24.10.1
   libspring-orm-java              4.3.30-2ubuntu0.24.10.1
   libspring-oxm-java              4.3.30-2ubuntu0.24.10.1
   libspring-transaction-java      4.3.30-2ubuntu0.24.10.1
   libspring-web-java              4.3.30-2ubuntu0.24.10.1
   libspring-web-portlet-java      4.3.30-2ubuntu0.24.10.1
   libspring-web-servlet-java      4.3.30-2ubuntu0.24.10.1

Ubuntu 24.04 LTS
   libspring-aop-java              4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-beans-java            4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-java          4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-support-java  4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-core-java             4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-expression-java       4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-instrument-java       4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-jdbc-java             4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-jms-java              4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-messaging-java        4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-orm-java              4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-oxm-java              4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-transaction-java      4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-java              4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-portlet-java      4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-servlet-java      4.3.30-2ubuntu0.24.04.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 22.04 LTS
   libspring-aop-java              4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-beans-java            4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-java          4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-support-java  4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-core-java             4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-expression-java       4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-instrument-java       4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-jdbc-java             4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-jms-java              4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-messaging-java        4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-orm-java              4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-oxm-java              4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-transaction-java      4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-java              4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-portlet-java      4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-servlet-java      4.3.30-1ubuntu0.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 20.04 LTS
   libspring-aop-java              4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-beans-java            4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-java          4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-support-java  4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-core-java             4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-expression-java       4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-instrument-java       4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-jdbc-java             4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-jms-java              4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-messaging-java        4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-orm-java              4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-oxm-java              4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-transaction-java      4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-java              4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-portlet-java      4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-servlet-java      4.3.22-4ubuntu0.1~esm1
                                   Available with Ubuntu Pro

Ubuntu 18.04 LTS
   libspring-aop-java              4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-beans-java            4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-java          4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-context-support-java  4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-core-java             4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-expression-java       4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-instrument-java       4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-jdbc-java             4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-jms-java              4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-messaging-java        4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-orm-java              4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-oxm-java              4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-transaction-java      4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-java              4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-portlet-java      4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro
   libspring-web-servlet-java      4.3.22-1~18.04.1~esm1
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7165-1
   CVE-2022-22965

Package Information:
https://launchpad.net/ubuntu/+source/libspring-java/4.3.30-2ubuntu0.24.10.1

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20241218/7425e851/attachment.sig>


More information about the ubuntu-security-announce mailing list