Is Spring Cloud Stream affected by CVE-2022-22963 (spring cloud function)

Question

The CVE-2022-22963 - spring cloud function vulnerability was recently discovered and a simple fix was provided by the team here: cve-report-published-for-spring-cloud-function

We are getting spring-cloud-function-context:3.0.6 from spring-cloud-stream:3.0.4 by the following dependencies (our spring.boot.version is 2.2.6):

• spring-cloud-services-starter-circuit-breaker:2.2.6
• spring-cloud-bus:2.2.6 (including amqp/kafka)
• spring-cloud-starter-stream-kafka:3.0.4
• spring-cloud-starter-stream-rabbit:3.0.4

We are not using directly RoutingFunction, but afraid the libraries which brings spring-cloud-function-context/core via spring-cloud-stream, that I've mentioned above, might using RoutigFunction and exposes us to the vulnerability.

What is the preferred mitigation for us on this CVE?
Can we upgrade to spring-cloud-function version 3.1.7 without compatibility issues with our spring version?

Answer 1

First, spring-cloud-stream is not affected by the CVE you mention. It is only affecting spring-cloud-function if spring-cloud-function-web module is used.

As for the issue you are describing in your last comment (NCDFE) this can only happen if you are using old and incompatible versions of Stream and Functions.

So. . ., as Soby mentioned, 3.1 is EOL so you still have to upgrade.
You can upgrade the standard spring-boot way by updating spring-cloud BOM

<dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>org.springframework.cloud</groupId>
                <artifactId>spring-cloud-dependencies</artifactId>
                <version>2021.0.3</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>

Or you can manually change individual dependencies.

• Spring Cloud Function - 3.2.6
• Spring Cloud Stream - 3.2.4

Answer 2

Spring Cloud Function and Spring Cloud Stream 3.0.x versions are out of OSS/commercial support. Even for 3.1.x versions, they are out of OSS support, as seen from that chart in the links provided. The routing function issue is addressed in Spring Cloud Function 3.2.3 and 3.1.7 versions. Our recommendation is to manually upgrade to one of those versions for the module spring-cloud-function-context.