Spring security core v.5.3 null initialization vector 

Issue date: 27-10-2020
Affects versions: 14.2, 13.4, 12.6

Issue ID: SECURITY-166

Affected Product Version(s)
14.2.2, 13.4.3, 12.6.10 (and previous patch releases)

Severity 
low

Description

Spring Security versions used in prior versions of brXM improperly initialized a cipher used for text encryption. This function was not used by the brXM product directly, but may have been used by customer projects.

See: CVE-2020-5408

Spring Security has now been updated across all our latest supported versions: 14.3.0, 13.4.4 and 12.6.11.

Instructions

Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.