The CVE-2022-22963 - spring cloud function vulnerability was recently discovered and a simple fix was provided by the team here: cve-report-published-for-spring-cloud-function
We are getting spring-cloud-function-context:3.0.6
from spring-cloud-stream:3.0.4
by the following dependencies (our spring.boot.version is 2.2.6):
- spring-cloud-services-starter-circuit-breaker:2.2.6
- spring-cloud-bus:2.2.6 (including amqp/kafka)
- spring-cloud-starter-stream-kafka:3.0.4
- spring-cloud-starter-stream-rabbit:3.0.4
We are not using directly RoutingFunction, but afraid the libraries which brings spring-cloud-function-context/core
via spring-cloud-stream
, that I've mentioned above, might using RoutigFunction and exposes us to the vulnerability.
What is the preferred mitigation for us on this CVE?
Can we upgrade to spring-cloud-function version 3.1.7 without compatibility issues with our spring version?
First, spring-cloud-stream is not affected by the CVE you mention. It is only affecting spring-cloud-function if spring-cloud-function-web module is used.
As for the issue you are describing in your last comment (NCDFE) this can only happen if you are using old and incompatible versions of Stream and Functions.
So. . ., as Soby mentioned, 3.1 is EOL so you still have to upgrade.
You can upgrade the standard spring-boot way by updating spring-cloud BOM
Or you can manually change individual dependencies.