-
Task
-
Resolution: Done
-
Medium
-
None
-
None
Vulnerability scans of SDC have found some vulnerable 3pp versions. Creating this task for analysis of these versions. Is it possible to update/remove them, or does sdc even use the vulnerable functionality
Vulnerable versions
Jsoup
org.jsoup:jsoup:1.8.3
(in catalog-fe/onboarding-be war)
CVE-2021-37714
Fix version: 1.14.2
Netty
io.netty:netty-codec:4.1.66.Final (in onboarding-be war)
CVE-2021-37136, CVE-2021-37137
fix version: 4.1.68.Final
Gson
com.google.code.gson:gson:2.3.1 (in catalog-fe war)
Xray-188794(no cve id)
fix version: 2.8.9
Chef 13.8.5 (Dockerfiles)
CVE-2015-8559
fix:15.4.45
JNA
net.java.dev.jna:jna 4.2.2 (in onboarding-be war)
Xray-114349(no cve id)
(fix is 5.10.0)
Lucene
org.apache.lucene:lucene-core:3.0.3 (catalog-be war)
Xray-86119(no cve id)
Fix:3.6.0
org.apache.httpcomponents:httpclient-cache:4.5.3 (catalog-be)
Xray-84107(no cve id)
Fix versions: 4.5.9, 5.0-beta4-RC1
commons-beanutils-1.9.2 (asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar)
CVE-2019-10086
(fix: 1.9.4)
jackson-databind-2.9.4 (asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar)
64 different vulnerabilities
(Fix: 2.9.10.7)
Locations:
catalog-be.war:WEB-INF/lib/gremlin-shaded-3.3.3.jar:jackson-databind)
asdctool-1.9.0-SNAPSHOT-jar-with-dependencies.jar:jackson-databind
jetty-io-9.3.12.v20160915
(In asdctool-1.9.0-SNAPSHOT-jar-with-dependencies, catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
13 vulnerabilities
(Fix:9.4.29 or higher)
Also jetty-server and jetty-webapp
Quite a few in backend service coming from dme2-3.1.200-oss.jar
commons-beanutils-1.9.2 (in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
commons-collections-3.2.1 (in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
hazelcast-3.7.2 (catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar:hazelcast)
commons_collections-3.2.1 (catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
jetty* 9.3.12.v20160915 ( in catalog-be.war:WEB-INF/lib/dme2-3.1.200-oss.jar)
No fixed versions available yet
slf4j 1.7.25
(catalog-fe-1.9.0-SNAPSHOT.war:WEB-INF/lib/slf4j-api-1.7.25.jar
(No Fix)
geronimo-1.1.1
onboarding-be-1.9.0-SNAPSHOT.war file WEB-INF/lib/geronimo-jta_1.1_spec-1.1.1.jar
(No Fix)
CVE-2011-5034
org.apache.tinkerpop:gremlin-core(org.apache.tinkerpop:gremlin-core:3.3.3)
(No fix)
hazelcast-3.7.2
(no fix version)
Pip pip:20.2.3 *disputed cve*
CVE-2018-20225
(No fix + might not be an issue)
- relates to
-
SDC-3927 Remove unused vulnerable dependency
- Closed