Skip to content

KNOX-3121 - Update spring-expressions for CVE-2024-38808 #1017

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

KNOX-3121 - Update spring-expressions for CVE-2024-38808 #1017

wants to merge 1 commit into from

Conversation

@Preetesh2110
Copy link

@Preetesh2110 Preetesh2110 commented Apr 7, 2025
edited
Loading

What changes were proposed in this pull request?

Update spring-expressions for CVE-2024-38808

How was this patch tested?

$ mvn dependency:tree | grep spring

Here is the output

+- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  \- org.springframework:spring-beans:jar:5.3.39:compile
+- org.springframework:spring-web:jar:5.3.39:compile
|  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |     \- org.springframework:spring-tx:jar:5.3.39:compile
+- org.springframework:spring-core:jar:5.3.39:compile
|  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-orm:jar:5.3.39:test
|  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:test
|  |  |     \- org.springframework:spring-tx:jar:5.3.39:test
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  |  \- org.springframework:spring-core:jar:5.3.39:compile
|  |     \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:test
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:test
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:test
|  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025

@moresandeep could you please review this PR.

moresandeep
moresandeep approved these changes Apr 7, 2025
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Preetesh2110, i kicked off the checks, we can merge the changes when the checks pass.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025

Hey I ran the build and tests locally with Java 11 and everything seems to be passing. Also the failures seems unrelated

Error:  Tests run: 3, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.157 s <<< FAILURE! - in org.apache.knox.gateway.websockets.MessageFailureTest

Expected: is <1009>
     but: was <1006>
	at org.apache.knox.gateway.websockets.MessageFailureTest.testMessageTooBig(MessageFailureTest.java:87)

Can we please rerun the workflow.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 7, 2025

Hey I ran the build and tests locally with Java 11 and everything seems to be passing. Also the failures seems unrelated

Error:  Tests run: 3, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.157 s <<< FAILURE! - in org.apache.knox.gateway.websockets.MessageFailureTest

Expected: is <1009>
     but: was <1006>
	at org.apache.knox.gateway.websockets.MessageFailureTest.testMessageTooBig(MessageFailureTest.java:87)

Can we please rerun the workflow.

Weird, sure i can kickstart it again.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025
edited
Loading

@moresandeep really sorry to bug you so many times. This time the previous failure disappeared and a new failure occurred at gateway-test-release with no test failures. Could we please retrigger it. I have now locally build and ran tests with jdk-1.8 as well

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 8, 2025

Could we please re-trigger the workflow.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 8, 2025

@Preetesh2110 that's okay, something weird is going on. I'll keep na eye on it.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 8, 2025

@Preetesh2110 the failure is because of the following issue:

2025-04-07T13:39:44.7246933Z [INFO] --- enforcer:3.0.0-M3:enforce (enforce-dependencies) @ gateway-test-release-utils ---
2025-04-07T13:39:44.7966822Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/com/github/jnr/jffi/1.3.11/jffi-1.3.11.pom
2025-04-07T13:39:44.8033837Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/com/github/jnr/jffi/1.3.11/jffi-1.3.11.pom (12 kB at 1.7 MB/s)
2025-04-07T13:39:44.8050798Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom
2025-04-07T13:39:44.8913163Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom
2025-04-07T13:39:44.8977725Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom (7.3 kB at 1.2 MB/s)
2025-04-07T13:39:44.9507076Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/io/fabric8/docker-maven-plugin/0.45.0/docker-maven-plugin-0.45.0.jar
2025-04-07T13:39:45.0377109Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/com/github/jnr/jffi/1.3.11/jffi-1.3.11.jar
2025-04-07T13:39:45.0379887Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/com/github/jnr/jffi/1.3.11/jffi-1.3.11-native.jar
2025-04-07T13:39:45.0382272Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/net/jodah/failsafe/2.4.0/failsafe-2.4.0.jar
2025-04-07T13:40:45.1378386Z [WARNING] Rule 0: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
2025-04-07T13:40:45.1379094Z Could not acquire lock(s)

Looks like an issue with pulling dependencies unrelated to your patch.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 8, 2025

Thanks a lot Sandeep!

@smolnar82
Copy link
Contributor

smolnar82 commented Apr 8, 2025

Cleared caches and triggered new builds.
@Preetesh2110 - Please update the PR description with the outcome of your
$ mvn dependency:tree | grep spring
command.
Thanks!

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 9, 2025

Thanks @smolnar82 updated the description.

@smolnar82
Copy link
Contributor

smolnar82 commented Apr 14, 2025

I think there is an actual issue with the new version of Spring, which should be handled (exclude/upgrade, etc...). I'm glad we have the dependency enforcer tool as part of our builds.

@smolnar82
Copy link
Contributor

smolnar82 commented Oct 28, 2025

I'm going to close this PR in 5 days in case there is no activity on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moresandeep moresandeep moresandeep approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Preetesh2110 @moresandeep @smolnar82