Menu
Since spring-boot comes with embedded tomcat containers, I was wondering how is the patching being done. If I decide to go for using embedded approach and a security vulnerability has been found out and the tomcat community has released a patch, how do I apply that patch to the embedded tomcat container which comes with the Spring-boot.
Any help would be greatly appreciated since it will help to decide to go the traditional route of standalone tomcats v's embedded.
907
Not a vulnerability in Tomcatx has no dependency on any version of log4j. Web applications deployed on Apache Tomcat may have a dependency on log4j. You should seek support from the application vendor in this instance. It is possible to configure Apache Tomcat 10.
Spring4Shell is a remote code execution (RCE, code injection) vulnerability in Spring Core that is exploited via data binding. The attacker can simply execute code from a remote source on the attacked victim by exploiting it.
A critical vulnerability in the Spring Java framework was revealed on March 29, 2022. This vulnerability was initially misunderstood with CVE-2022-22963, a vulnerability in Spring Cloud. However, it was eventually discovered as a different Spring Core vulnerability, now known as CVE-2022-22965 and dubbed Spring4 Shell.
According to this Spring blog post, you can specify any version of Tomcat you want. As long as it's released to the Maven repo, just add the following property to your Maven build properties specifying whatever version you like: <tomcat.version>8.0.3</tomcat.version>.
See http://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core for versions currently available in Maven Central.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
