Dependency on org.bouncycastle:bcprov-jdk15on:1.69 brings vulnerability CVE-2023-33201
Fix would be to upgrade dependency to org.bouncycastle:bcprov-jdk18on:1.75 (which means dropping support for Java < 8)
Comment From: ryanjbaxter
We cannot drop support for Java 8 in Spring Cloud 2021.0.x
Really the change needs to be made in spring-security-rsa, that is where the dependency is coming from
org.springframework.cloud:spring-cloud-config-server:jar:4.0.4-SNAPSHOT
[INFO] \- org.springframework.security:spring-security-rsa:jar:1.0.11.RELEASE:compile
In the meantime you can override the dependency in your own application by specifying the dependency and version.
Once a version of spring-security-rsa is released that has the correct version we can pull that in.
Comment From: anabright
We cannot drop support for Java 8 in Spring Cloud 2021.0.x
I said Java < 8, not Java 8 😉
Really the change needs to be made in spring-security-rsa, that is where the dependency is coming from
org.springframework.cloud:spring-cloud-config-server:jar:4.0.4-SNAPSHOT [INFO] \- org.springframework.security:spring-security-rsa:jar:1.0.11.RELEASE:compileIn the meantime you can override the dependency in your own application by specifying the dependency and version.
Once a version of spring-security-rsa is released that has the correct version we can pull that in.
I see, thanks for pointing that out. I've looked into it and turns out there's already a newer version of spring-security-rsa (1.1.1) with org.bouncycastle:bcprov-jdk18on (with the vulnerability fixed).
@ryanjbaxter if you could pull that version in and release a new version, that would be great, thanks.
In the meantime, for those interested, I've overridden the dependency like this:
implementation("org.springframework.cloud:spring-cloud-config-server") {
implementation("org.springframework.security:spring-security-rsa:1.1.1")
}
Comment From: ryanjbaxter
We can't make the jump to 1.1.1. However I did update to the latest 1.0.12 release in spring cloud commons 4.0.x. 1.1.1 will be used in our upcoming 4.1.0 release of spring cloud commons.