| Vulnerability | Severity | Package | Package Version | Fix | Package Type |
|---|---|---|---|---|---|
| CVE-2016-1000027 | Critical | org.springframework:spring-web | 5.3.29 | v6.0.0 | java |
it seems like sysdig is forcing me to upgrade v6.0
how could this work. this is a compliance thing I really don’t have flexibility here.
Cant deploy my application because of this… what can I do?
Application is offline… What can I do in these cases?
java.lang.NoClassDefFoundError: jakarta/servlet/ServletRequest
at org.springframework.web.context.support.WebApplicationContextUtils.registerWebApplicationScopes(WebApplicationContextUtils.java:195) ~[spring-web-6.0.0.jar:6.0.0]
at org.springframework.web.context.support.WebApplicationContextUtils.registerWebApplicationScopes(WebApplicationContextUtils.java:174) ~[spring-web-6.0.0.jar:6.0.0]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.registerWebApplicationScopes(ServletWebServerApplicationContext.java:250) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.postProcessBeanFactory(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext.postProcessBeanFactory(AnnotationConfigServletWebServerApplicationContext.java:203) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:560) ~[spring-context-5.3.29.jar:5.3.29]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:147) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:731) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:408) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:307) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1303) ~[spring-boot-2.7.15.jar:2.7.15]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1292) ~[spring-boot-2.7.15.jar:2.7.15]
at com.mercer.aptitude.AptitudeApplication.main(AptitudeApplication.java:28) ~[main/:na]
Caused by: java.lang.ClassNotFoundException: jakarta.servlet.ServletRequest
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) ~[na:na]
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) ~[na:na]
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525) ~[na:na]
… 13 common frames omitted
Upgrading Spring 5.x to 6.x is a big step. It requires Java 17 and likely a lot of other changes and upgrades to other libraries. Your best bet is probably to upgrade to Jmix 2.x
Hi
Unfortunately there is no option to upgrade to Spring 6.X in your Jmix 1.5 application due to the incompatibility between Vaadin 8 used in Classic UI and the new Jakarta Servlet API and Spring 6.
You can get more details in the Jmix blog: Extended Support for Classic UI – Jmix
The mentioned CVE is related to HTTPInvoker functionality which is not used in Jmix.
I would recommend ignoring this report.
cant reply on the paid forum for this…
AS I MENTIONED BEFORE.
THIS IS A COMPLIANCE THING
I WORK FOR A LARGE COMPANY
I really cannot brush it off and tell dev ops… ignore that.
Overnight I no longer can use Jmix 1.5 and I’m forced to rework all the screens of a project of 1.5 years
how in this earth can this be remediated?
Let me explain the situation with compatibility.
Jmix 1 uses Vaadin 8, Jmix 2 uses Vaadin 24. Jmix doesn’t introduce any incompatibility itself, it just follows the technologies it is based on.
So you can either stay on Jmix 1 and explain to devops that the CVE doesn’t affect your application, or migrate to Jmix 2.
Regards,
Konstantin
I got all that.
COMPLIANCE rejects spring 5 end of story
I already talked to my manager. and were redoing all screens now.
I’m just frustrated with the updates
Everytime… I work for months… an update comes and breaks everything
CUBA → JMIX 1.5 → JMIX 2.1
Will this happen again with Jmix 3.0 next year or whenever? If so we have to look for another solution.
What you say is true - Haulmont, you really do have to handle these things better. 
2.x wasn’t even ready for “prime time;” so many needed controls are missing (Calendar??!?!)
Dear Eduardo,
I understand the depth of the problem you have had to face and the frustration you are currently experiencing. I also ask you to understand that by relying on open components, Jmix also has to be dependent on the compatibility of external technologies. There are things we can influence and there are those over which we have limited influence. For our part, we do everything possible to support our customers. I will contact you as soon as possible to determine possible options for resolving this predicament.
Thank you.