Skip to content

KNOX-3121 - Update spring-expressions for CVE-2024-38808#1017

Open
Preetesh2110 wants to merge 1 commit intoapache:masterfrom
Preetesh2110:Preetesh2110-patch-1
Open

KNOX-3121 - Update spring-expressions for CVE-2024-38808#1017
Preetesh2110 wants to merge 1 commit intoapache:masterfrom
Preetesh2110:Preetesh2110-patch-1

Conversation

@Preetesh2110
Copy link

@Preetesh2110 Preetesh2110 commented Apr 7, 2025
edited
Loading

What changes were proposed in this pull request?

Update spring-expressions for CVE-2024-38808

How was this patch tested?

$ mvn dependency:tree | grep spring

Here is the output

+- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  \- org.springframework:spring-beans:jar:5.3.39:compile
+- org.springframework:spring-web:jar:5.3.39:compile
|  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |     \- org.springframework:spring-tx:jar:5.3.39:compile
+- org.springframework:spring-core:jar:5.3.39:compile
|  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-orm:jar:5.3.39:test
|  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:test
|  |  |     \- org.springframework:spring-tx:jar:5.3.39:test
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  \- org.springframework:spring-web:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  |  +- org.springframework:spring-core:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:compile
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:compile
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:compile
|  |  \- org.springframework:spring-core:jar:5.3.39:compile
|  |     \- org.springframework:spring-jcl:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:compile
|  |  |  +- org.springframework:spring-context:jar:5.3.39:compile
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:compile
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:compile
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:compile
|  |  +- org.springframework:spring-web:jar:5.3.39:compile
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:test
|  |  |  +- org.springframework:spring-context:jar:5.3.39:test
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:test
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:test
|  |  \- org.springframework:spring-web:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:test
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:test
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:test
|  |  +- org.springframework:spring-core:jar:5.3.39:test
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:test
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-orm:jar:5.3.39:provided
|  |  |  |     +- org.springframework:spring-jdbc:jar:5.3.39:provided
|  |  |  |     \- org.springframework:spring-tx:jar:5.3.39:provided
|  |  +- org.springframework:spring-core:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-jcl:jar:5.3.39:provided
|  |  +- org.springframework.vault:spring-vault-core:jar:2.3.4:provided
|  |  |  +- org.springframework:spring-context:jar:5.3.39:provided
|  |  |  |  +- org.springframework:spring-aop:jar:5.3.39:provided
|  |  |  |  \- org.springframework:spring-expression:jar:5.3.39:provided
|  |  |  \- org.springframework:spring-beans:jar:5.3.39:provided
|  |  \- org.springframework:spring-web:jar:5.3.39:provided

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025

@moresandeep could you please review this PR.

moresandeep
moresandeep approved these changes Apr 7, 2025
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Preetesh2110, i kicked off the checks, we can merge the changes when the checks pass.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025

Hey I ran the build and tests locally with Java 11 and everything seems to be passing. Also the failures seems unrelated

Error:  Tests run: 3, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.157 s <<< FAILURE! - in org.apache.knox.gateway.websockets.MessageFailureTest

Expected: is <1009>
     but: was <1006>
	at org.apache.knox.gateway.websockets.MessageFailureTest.testMessageTooBig(MessageFailureTest.java:87)

Can we please rerun the workflow.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 7, 2025

Hey I ran the build and tests locally with Java 11 and everything seems to be passing. Also the failures seems unrelated

Error:  Tests run: 3, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 0.157 s <<< FAILURE! - in org.apache.knox.gateway.websockets.MessageFailureTest

Expected: is <1009>
     but: was <1006>
	at org.apache.knox.gateway.websockets.MessageFailureTest.testMessageTooBig(MessageFailureTest.java:87)

Can we please rerun the workflow.

Weird, sure i can kickstart it again.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 7, 2025
edited
Loading

@moresandeep really sorry to bug you so many times. This time the previous failure disappeared and a new failure occurred at gateway-test-release with no test failures. Could we please retrigger it. I have now locally build and ran tests with jdk-1.8 as well

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 8, 2025

Could we please re-trigger the workflow.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 8, 2025

@Preetesh2110 that's okay, something weird is going on. I'll keep na eye on it.

@moresandeep
Copy link
Contributor

moresandeep commented Apr 8, 2025

@Preetesh2110 the failure is because of the following issue:

2025-04-07T13:39:44.7246933Z [INFO] --- enforcer:3.0.0-M3:enforce (enforce-dependencies) @ gateway-test-release-utils ---
2025-04-07T13:39:44.7966822Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/com/github/jnr/jffi/1.3.11/jffi-1.3.11.pom
2025-04-07T13:39:44.8033837Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/com/github/jnr/jffi/1.3.11/jffi-1.3.11.pom (12 kB at 1.7 MB/s)
2025-04-07T13:39:44.8050798Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom
2025-04-07T13:39:44.8913163Z [INFO] Downloading from central: https://repo.maven.apache.org/maven2/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom
2025-04-07T13:39:44.8977725Z [INFO] Downloaded from central: https://repo.maven.apache.org/maven2/net/jodah/failsafe/2.4.0/failsafe-2.4.0.pom (7.3 kB at 1.2 MB/s)
2025-04-07T13:39:44.9507076Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/io/fabric8/docker-maven-plugin/0.45.0/docker-maven-plugin-0.45.0.jar
2025-04-07T13:39:45.0377109Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/com/github/jnr/jffi/1.3.11/jffi-1.3.11.jar
2025-04-07T13:39:45.0379887Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/com/github/jnr/jffi/1.3.11/jffi-1.3.11-native.jar
2025-04-07T13:39:45.0382272Z [INFO] Downloading from jetbrains-pty4j: https://packages.jetbrains.team/maven/p/ij/intellij-dependencies/net/jodah/failsafe/2.4.0/failsafe-2.4.0.jar
2025-04-07T13:40:45.1378386Z [WARNING] Rule 0: org.apache.maven.plugins.enforcer.DependencyConvergence failed with message:
2025-04-07T13:40:45.1379094Z Could not acquire lock(s)

Looks like an issue with pulling dependencies unrelated to your patch.

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 8, 2025

Thanks a lot Sandeep!

@smolnar82
Copy link
Contributor

smolnar82 commented Apr 8, 2025

Cleared caches and triggered new builds.
@Preetesh2110 - Please update the PR description with the outcome of your
$ mvn dependency:tree | grep spring
command.
Thanks!

@Preetesh2110
Copy link
Author

Preetesh2110 commented Apr 9, 2025

Thanks @smolnar82 updated the description.

@smolnar82
Copy link
Contributor

smolnar82 commented Apr 14, 2025

I think there is an actual issue with the new version of Spring, which should be handled (exclude/upgrade, etc...). I'm glad we have the dependency enforcer tool as part of our builds.

@smolnar82
Copy link
Contributor

smolnar82 commented Oct 28, 2025

I'm going to close this PR in 5 days in case there is no activity on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moresandeep moresandeep moresandeep approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Preetesh2110 @moresandeep @smolnar82