Spring Boot has been updated to version 2.5.14. Related dependencies have been updated to at least the versions used by Spring Boot. This includes updates to fix reported security issues in Spring Security and Tomcat (CVE-2022-22976, CVE-2022-22978, CVE-2022-29885). The new version of Spring Security contains a bug fix for certain configurations of password hashing (CVE-2022-22976), which may require additional upgrade steps if you have changed the configuration for password hashing in the Content Server or Elastic Social.

By default, passwords of Content Server builtin users and of Elastic Social users are stored using the BCrypt password hashing algorithm from Spring Security with a work factor of 10. Previous versions of Spring Security contained a security vulnerability (CVE-2022-22976) that made hashes less secure, if you had changed the default configuration to use work factor 31 with configuration property cap.server.login.password-hash-algorithm for the Content Server or property elastic.social.password-hash-algorithm for Elastic Social. You don't need to take action, if you are using the default configuration or a BCrypt work factor less than 31.

With this release, the configuration of work factor of 31 is not accepted anymore. Content Server and Elastic Social applications will fail to start, if such a work factor is configured. Note, that it would be an unreasonable choice anyway, because it would require multiple days to compute a single hash. If you had configured work factor 31, then you must change the configuration in the mentioned configuration properties, for example to the default work factor of 10, or a slightly higher one. The passwords of all users that were stored with work factor 31 are still working but should be changed to store them more securely. For details, see also the description of the CVE at https://tanzu.vmware.com/security/cve-2022-22976.

The following libraries have been updated:

If you use these libraries in project code, please check their respective release notes for changes and upgrade information. No changes were necessary in the CoreMedia Blueprint for these updates.

(CMS-21780)