I'm worried about my company's public-facing ERP system, which is still using Java 1.8, Spring Boot 2.0.4, and Spring 4.3.22. There's a lot of concern about known security vulnerabilities, yet my colleagues seem uninterested in updating these frameworks. Is there real danger in continuing to use these older versions? If it is a serious issue, how should I approach management about it?
1 Answer
Definitely look into the known CVEs for Spring Boot 2.0.4. You can find detailed security vulnerabilities on Maven's website. Putting together a written report about how these vulnerabilities could affect your application will help convey the risks to your management team.
Just remember, not every vulnerability will be directly harmful—some could be false alarms or not relevant to your app's functionalities.