Last Updated: May 9, 2022 at 11:40AM (EDT)
Status: Resolved – Customer Action Required
Solace is aware of the following Spring Cloud and Spring Framework vulnerabilities:
Solace products and internal systems are not exposed to these vulnerabilities although three projects have transient dependencies on Spring as detailed in the table below. We have also confirmed that our partners’ products Adaptris Interlok and PubSub+ Monitor are not exposed.
Product | Scope | Affected Version | Workaround | Resolution |
---|---|---|---|---|
PubSub+ Spring Boot | While the PubSub+ Spring Boot project itself has no direct dependencies on the Spring Framework, it uses Spring Boot which does. The following components have sub-dependencies on an affected Spring Framework version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Spring Framework libraries and use an unaffected version. | On April 1, 2022, Solace released a new patch to update to Spring Boot 2.6.6. This is available in PubSub+ Spring Boot version 1.2.2. |
PubSub+ Spring Cloud | While the PubSub+ Spring Cloud project itself has no dependencies on Spring Framework and Spring Cloud Function, it uses Spring Cloud Stream and Spring Boot which do. The following components have sub-dependencies on an affected Spring Framework and Spring Cloud Function version:
| All versions | A developer using any of these projects as dependencies can use their build time tools to override the choice of Spring Framework and Spring Cloud Function libraries and use an unaffected version. | On April 1, 2022, Solace released a new patch to update to Spring Boot 2.6.6. This is available in PubSub+ Spring Cloud version 2.3.1. |
PubSub+ Connector for MuleSoft Anypoint Platform | While the PubSub+ Connector for MuleSoft Anypoint Platform itself has no dependencies on Spring Framework and Spring Cloud Function, it is a component of MuleSoft which does. | N/A | N/A | Customers should contact MuleSoft regarding exposure to these vulnerabilities. |