[Action Required] Upgrade Spring Boot to v2.6.6 or v2.5.12

Confluence Blog: https://29022131.atlassian.net/wiki/spaces/ENG/blog/2022/04/05/2485453231/Action+Required+Upgrade+Spring+Boot+to+v2.6.6+or+v2.5.12

Overview

Spring just released v2.6.6 [1] and v2.5.12 [2] which include a fix for CVE-2022-22965 [3]. Teams are required to upgrade to either version as soon as possible.

Who is this announcement for?

For all Engineers and Application Owners leveraging Spring Boot to build applications.

What do you need to do?

Upgrade Spring Boot to v2.6.6 or v2.5.12.

Why is this needed?

Java RCE ‘0-day’ vulnerabilities were discovered in Spring Core [4] (dub as Spring4Shell). Applications running JDK version 9 and newer are vulnerable to an RCE attack.

All public APIs that have been integrated with Akamai are safe. The vulnerability also requires multiple pre-requisites that may make the application hard to exploit. For safety and best practice, teams are still required to upgrade Spring Boot as soon as possible

Timeline

Apr 29, 2022: All Spring Boot public api applications (i.e. papi) are upgraded.
May 31, 2022: All Spring Boot applications are upgraded.

Questions/Concerns?

Please contact the Security and Backend Infra team through #backend channel.

Appendix

[1] https://spring.io/blog/2022/03/31/spring-boot-2-6-6-available-now
[2] https://spring.io/blog/2022/03/31/spring-boot-2-5-12-available-now
[3] https://tanzu.vmware.com/security/cve-2022-22965
[4] https://www.lunasec.io/docs/blog/spring-rce-vulnerabilities/

Andy Saputra, on behalf of the Backend Infra Team