hawkbit icon indicating copy to clipboard operation
hawkbit copied to clipboard
verified publisher icon eclipse

CVE in latest release 0.3.0M7

Open deschmih opened this issue 3 years ago • 3 comments

In the latest docker image (hawkbit-update-server:0.3.0M7-mysql) there is a really critical CVE https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-22965 included in spring-boot, spring-core, spring-webmvc and spring-beans.

Updating to ...:

  • spring-boot to 2.5.12 or later
  • spring-beans to 5.2.20 or later
  • spring-core to 5.2.20 or later
  • spring-webmvc to 5.2.20 or later will fix the CVE..

If this can be fixed, we could all sleep better. Is there a timetable for the next release ?

deschmih avatar Jul 22 '22 05:07 deschmih

@bogdan-bondar Some news on this topic?

deschmih avatar Aug 15 '22 05:08 deschmih

It seems recently hawkbit hasn't received as much love as it should have, at least maintenance wise. At our company we have adding hawkbit as update service in our backlog and security if of high priority to us. I cannot promise anything right now, as the decision isn't final yet and resources (as always) are sparse. However, midterm we might be able to help with at least some of the maintenance work, if that would be of any help to you @bogdan-bondar?

Jasper-Ben avatar Sep 17 '22 13:09 Jasper-Ben

@Jasper-Ben Definitely! As you've already noticed there is not enough work-force available currently to support Hawkbit community so any help would be greatly appreciated ;)

bogdan-bondar avatar Sep 20 '22 08:09 bogdan-bondar