Release Notes / Version 11.2307
Table Of ContentsSpring Boot has been updated to version 2.5.14. Related dependencies have been updated to at least the versions used by Spring Boot. This includes updates to fix reported security issues in Spring Security and Tomcat (CVE-2022-22976, CVE-2022-22978, CVE-2022-29885). The new version of Spring Security contains a bug fix for certain configurations of password hashing (CVE-2022-22976), which may require additional upgrade steps if you have changed the configuration for password hashing in the Content Server or Elastic Social .
By default, passwords of
Content Server
builtin users and of
Elastic Social
users are stored using the BCrypt password hashing algorithm from Spring Security with a work factor of 10. Previous versions of Spring Security contained a security vulnerability (CVE-2022-22976) that made hashes less secure, if you had changed the default configuration to use work factor 31 with configuration property
cap.server.login.password-hash-algorithm
for the
Content Server
or property
elastic.social.password-hash-algorithm
for
Elastic Social
. You don't need to take action, if you are using the default configuration or a BCrypt work factor less than 31.
With this release, the configuration of work factor of 31 is not accepted anymore. Content Server and Elastic Social applications will fail to start, if such a work factor is configured. Note, that it would be an unreasonable choice anyway, because it would require multiple days to compute a single hash. If you had configured work factor 31, then you must change the configuration in the mentioned configuration properties, for example to the default work factor of 10, or a slightly higher one. The passwords of all users that were stored with work factor 31 are still working but should be changed to store them more securely. For details, see also the description of the CVE at https://tanzu.vmware.com/security/cve-2022-22976 .
The following libraries have been updated:
Janino 3.1.7
Jetty 9.4.46.v20220331
Micrometer 1.7.12
MySQL 8.0.29
Spring Boot 2.5.14
Spring Data 2021.0.11
Spring Security 5.5.8
Tomcat 9.0.64
If you use these libraries in project code, please check their respective release notes for changes and upgrade information. No changes were necessary in the CoreMedia Blueprint for these updates.
(CMS-21780)