Spring security core v.5.3 null initialization vector
Issue date: 27-10-2020Affects versions: 14.2, 13.4, 12.6
Issue ID: SECURITY-166
Affected Product Version(s)
14.2.2, 13.4.3, 12.6.10 (and previous patch releases)
Severity
low
Description
Spring Security versions used in prior versions of brXM improperly initialized a cipher used for text encryption. This function was not used by the brXM product directly, but may have been used by customer projects.
See: CVE-2020-5408
Spring Security has now been updated across all our latest supported versions: 14.3.0, 13.4.4 and 12.6.11.
Instructions
Customers are recommended to upgrade to the latest maintenance or minor releases as indicated above. This can be done by simply incrementing the version number of the parent POM for the implementation project.