[CPS-963] Liquibase has got serious vulnerability, upgrade required - ONAP JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Medium
Resolution: Done
Affects Version/s: None
Fix Version/s: Kohn Release
Component/s: CPS-Core, CPS-Temporal
Labels:
- Security
- SecurityToFix

Epic Link:
CPS Technical Debt

Description

Liquibase has got serious vulnerability. It should be updated to the latest version.

https://nvd.nist.gov/vuln/detail/CVE-2022-0839

The latest version of Liquibase is 4.9.1. Currently we use a version of 4.4.2 in which we have removed proprietary code which needs a pro liquibase license to be used. An investigation has been done into 4.9.1 to see if it contains the same issue. This clip from a Liquibase Q&A confirms this is the case. Therefore we will need to host a 4.9.1 version of Liquibase similar to what we did with 4.4.2.

From discussion with Liquibase: The Liquibase community version which is downloadable from their website can be used and does not have proprietary code. Liquibase are working on splitting community and pro in the maven version. We have opted to wait until the maven community version of Liquibase has come out and have been given a time frame of 4-6 weeks.

Update 24th May:
Split is in review stage and have been given an estimate of Mid-Late June

Attachments

Issue Links

relates to

CPS-503 Spike: Investigate Liquibase self-build option

Closed

mentioned in: Page Loading...

Gerrit Reviews

- Issue Only
- Show All Reviews
- Show Open Reviews
- Show All Issues
- Show Open Issues

No reviews matched the request. Check your Options in the drop-down menu of this sections header.

Activity

People

Assignee:: Unassigned

Reporter:: Lorant Hideg

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 29/Mar/22 12:08 PM

Updated:: 21/Sep/22 2:02 PM

Resolved:: 09/Aug/22 8:44 AM