[USN-7165-1] Spring Framework vulnerability
Hlib Korzhynskyy
hlib.korzhynskyy at canonical.com
Wed Dec 18 13:01:15 UTC 2024
==========================================================================
Ubuntu Security Notice USN-7165-1
December 17, 2024
libspring-java vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.10
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Spring Framework could be made to run programs or expose sensitive
information if it received specially crafted network traffic.
Software Description:
- libspring-java: Modular Java/J2EE application framework
Details:
It was discovered that the Spring Framework incorrectly handled web
requests via data binding. An attacker could possibly use this issue to
achieve remote code execution and obtain sensitive information.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.10
libspring-aop-java 4.3.30-2ubuntu0.24.10.1
libspring-beans-java 4.3.30-2ubuntu0.24.10.1
libspring-context-java 4.3.30-2ubuntu0.24.10.1
libspring-context-support-java 4.3.30-2ubuntu0.24.10.1
libspring-core-java 4.3.30-2ubuntu0.24.10.1
libspring-expression-java 4.3.30-2ubuntu0.24.10.1
libspring-instrument-java 4.3.30-2ubuntu0.24.10.1
libspring-jdbc-java 4.3.30-2ubuntu0.24.10.1
libspring-jms-java 4.3.30-2ubuntu0.24.10.1
libspring-messaging-java 4.3.30-2ubuntu0.24.10.1
libspring-orm-java 4.3.30-2ubuntu0.24.10.1
libspring-oxm-java 4.3.30-2ubuntu0.24.10.1
libspring-transaction-java 4.3.30-2ubuntu0.24.10.1
libspring-web-java 4.3.30-2ubuntu0.24.10.1
libspring-web-portlet-java 4.3.30-2ubuntu0.24.10.1
libspring-web-servlet-java 4.3.30-2ubuntu0.24.10.1
Ubuntu 24.04 LTS
libspring-aop-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-beans-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-context-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-context-support-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-core-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-expression-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-instrument-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-jdbc-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-jms-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-messaging-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-orm-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-oxm-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-transaction-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-web-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-web-portlet-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
libspring-web-servlet-java 4.3.30-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
libspring-aop-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-beans-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-context-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-context-support-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-core-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-expression-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-instrument-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-jdbc-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-jms-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-messaging-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-orm-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-oxm-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-transaction-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-portlet-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-servlet-java 4.3.30-1ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
libspring-aop-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-beans-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-context-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-context-support-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-core-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-expression-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-instrument-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-jdbc-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-jms-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-messaging-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-orm-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-oxm-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-transaction-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-portlet-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
libspring-web-servlet-java 4.3.22-4ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
libspring-aop-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-beans-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-context-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-context-support-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-core-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-expression-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-instrument-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-jdbc-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-jms-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-messaging-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-orm-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-oxm-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-transaction-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-web-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-web-portlet-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
libspring-web-servlet-java 4.3.22-1~18.04.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7165-1
CVE-2022-22965
Package Information:
https://launchpad.net/ubuntu/+source/libspring-java/4.3.30-2ubuntu0.24.10.1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20241218/7425e851/attachment.sig>
More information about the ubuntu-security-announce
mailing list