[prev in list] [next in list] [prev in thread] [next in thread] 

List:       maven-user
Subject:    Re: CVE-2022-22963 and CVE-2022-22965
From:       Tushar Kapila <tgkprog () gmail ! com>
Date:       2022-04-09 3:46:43
Message-ID: CAN0SkmnvNrD9ezuiSw4ZvbvvbLJYMw+pVbUNSd8FDeGgwxj-2w () mail ! gmail ! com
[Download RAW message or body]


Bernd
Just say:
By the power of Grayskull, and you will have all the answers ;)

Donnel
You might get a few answers on forums,  but if you need help to put ut all
together consider hiring someone. Freelancer.com I'd one resource. Besides
aunty Google


On Sat, Apr 9, 2022, 07:53 Bernd Eckenfels <ecki@zusammenkunft.net> wrote:

> Hello Donnel,
>
> We need you to do your own research, the Apache Open Source Project Maven
> is not "your vendor" and also not related with Spring. How should "we" know
> what and how you are using it?
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: DONNELL M GARRETT <DONNELL.GARRETT@bcbssc.com>
> Gesendet: Freitag, April 8, 2022 9:25 PM
> An: users@maven.apache.org <users@maven.apache.org>
> Betreff: CVE-2022-22963 and CVE-2022-22965
>
> On March 31, 2022 a pair of significant vulnerabilities were identified in
> the Java Spring Framework which would allow an attacker to execute
> malicious code.
>
>   *   CVE-2022-22963 - https://tanzu.vmware.com/security/cve-2022-22963
>   *   CVE-2022-22965 - https://tanzu.vmware.com/security/cve-2022-22965
>
> It is critical for all of our vendors to determine if their software is
> impacted so that remediation steps can be taken.  We need your company to
> respond to the following questions immediately:
>
>
>   *   Is your product impacted by CVE-2022-22963 or CVE-2022-22965?
>   *   Is your product built on Java?
>   *   Does your product depend on the Spring Cloud Function project?  If
> so, what version?
>   *   Does your product depend on Spring Framework?  If so, what version?
>   *   Does the product require JDK 9 or higher?
>   *   Does the product have a dependency on spring-webmvc?
>   *   Does the product have a dependency on spring-webflux?
>
>


[prev in list] [next in list] [prev in thread] [next in thread]