Last Updated: May 9, 2022 at 11:40AM (EDT)
Status: Resolved – Customer Action Required

Solace is aware of the following Spring Cloud and Spring Framework vulnerabilities:

Solace products and internal systems are not exposed to these vulnerabilities although three projects have transient dependencies on Spring as detailed in the table below. We have also confirmed that our partners’ products Adaptris Interlok and PubSub+ Monitor are not exposed.

ProductScopeAffected VersionWorkaroundResolution
PubSub+ Spring BootWhile the PubSub+ Spring Boot project itself has no direct dependencies on the Spring Framework, it uses Spring Boot which does. The following components have sub-dependencies on an affected Spring Framework version:

  • solace-java-cf-env

  • solace-java-spring-boot-autoconfigure

  • solace-jms-spring-boot-autoconfigure

  • solace-jms-spring-boot-starter

  • solace-java-spring-boot-starter

  • solace-spring-boot-starter

All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Spring Framework libraries and use an unaffected version.On April 1, 2022, Solace released a new patch to update to Spring Boot 2.6.6. This is available in PubSub+ Spring Boot version 1.2.2.
PubSub+ Spring CloudWhile the PubSub+ Spring Cloud project itself has no dependencies on Spring Framework and Spring Cloud Function, it uses Spring Cloud Stream and Spring Boot which do. The following components have sub-dependencies on an affected Spring Framework and Spring Cloud Function version:

  • solace-spring-cloud-connector

  • spring-cloud-stream-binder-solace-core

  • spring-cloud-stream-binder-solace

  • spring-cloud-starter-stream-solace
All versionsA developer using any of these projects as dependencies can use their build time tools to override the choice of Spring Framework and Spring Cloud Function libraries and use an unaffected version.On April 1, 2022, Solace released a new patch to update to Spring Boot 2.6.6. This is available in PubSub+ Spring Cloud version 2.3.1.
PubSub+ Connector for MuleSoft Anypoint PlatformWhile the PubSub+ Connector for MuleSoft Anypoint Platform itself has no dependencies on Spring Framework and Spring Cloud Function, it is a component of MuleSoft which does. N/AN/ACustomers should contact MuleSoft regarding exposure to these vulnerabilities.