Delft-FEWS uses third party libraries and analyses these libraries using the OWASP dependency check tool. See https://owasp.org/www-project-dependency-check/
Common Vulnerabilities and Exposures (CVE) with CVE score Critical and High
This page keeps track of known CVE issues in libraries that are distributed with Delft-FEWS and the upgrade strategy of these libraries. The Common Vulnerability Scoring System (CVSS) of severity Critical and High are reported here.
|date||CVE||library||description||versions||Risk for Delft-FEWS||JIRA||upgrade strategy|
|December 2022||CVE-2016-4432||qpid-jms-client-0.51.0-p.jar||The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. Delft-FEWS only uses the client, not the AMQP server.||2021.01 -||False Positive.||False positive. No action required. Jar file can be removed from bin folder if the Azure IOT Hub import is not used. See also AzureIotHub|
PG 42.3.3 was flagged in Aug 2022.
PG 42.4.1 was flagged only since Feb 2023.
The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection.
2022.01 - 2022.02
|False Positive. PgResultSet#refreshRow() is not used||- FEWS-28737Getting issue details... STATUS|
False positive. 2022.02 and 2023.01 have been upgraded to 42.5.3.
The spring framework allows to use a http invoker that uses object serialization that may be vulnerable for Remote Code Execution.
|2022.01 - 2019.02||Only used in Admin interface where the described scenario is not used.||False positive. The HTTP Invoker method that is vulnerable is not used in any of the Delft-FEWS components. Upgrading won't help either since it won't be removed from the library. It has been marked as deprecated and will be removed in spring 6.|
|Mar 2022||CVE-2022-26336||poi-scratchpad 5.2||A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1.||False positive. FEWS uses some of the Apache POI library (for the interval statistics dialog) but not the scratchpad, which is in a separate jar file.||False positive. Upgrade in development to latest release.|
|Feb 2022||CVE-2022-21724||postgresql-42.2.22.jar||A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade.||2021.02 - 2022.01||PG jdbc database url manipulation enables code execution loaded via arbitrary classes.||Upgrade to postgresql-42.3.3.jar|
In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.
Comment of Thymeleaf developer: I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered
|Only used in Admin interface where the described scenario is not used.||False positive. No action required. Once version 3.0.13 is available we can upgrade the jar to avoid this false alarm.|
|Oct 2021 Jan 2022|
The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.
|False positives. Delft-FEWS web applications don't use web sockets and doesn't use session persistence with the FileStorage.||False positives Upgrade in development only to latest tomcat 9 release.|
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack.
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
|False alarm. Bzip decoder is not used. Excessive memory usage might lead to a failing FSS in the worst case. Since the Azure IOT Hub is quite well secured, the risk is limited.||False positive. Upgrade in development to latest release.|
|Jun 2021||CVE-2021-33813||jdom-2.02.jar||An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.||Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited.|
Dependency of ucar netcdf libraries. JDOM library has been upgraded to: jdom2-188.8.131.52.jar since 2022.01.
|Mar 2019||CVE-2019-7611||elasticsearch-core-6.4.3.jar||A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used||Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk.||False positive. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm.|
|May 2018||CVE-2018-1258||spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar|
Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
|False alarm. Spring security is used in the Admin Interface, but doesn't use version 5.0.5 of the spring framework, but a higher version.||False positive. No action required. Once a fix is available we can upgrade the jar to avoid this false alarm.|
Commonly distributed 3rd party executables with CVE score Critical and High
|date||CVE||library||description||versions||Risk for Delft-FEWS||JIRA||upgrade strategy|
|Apr 2022||CVE-2022-28085||htmldoc (optionally supplied component not part of the Delft-FEWS binaries)||A flaw was found in htmldoc commit 31f7804. A heap buffer overflow in the function pdf_write_names in ps-pdf.cxx may lead to arbitrary code execution and Denial of Service (DoS).|
Up to 2022-03-24
|Up to (excluding)|
|FEWS-27693||When using htmldoc, the end-user must be supplied with updated version from https://github.com/michaelrsweet/htmldoc/releases|
Deltares Open Archive common vulnerabilities and exposures (CVE) with CVE score Critical and High
This page keeps track of known CVE issues in libraries that are distributed with the Deltares Open Archive and the upgrade strategy of these libraries. The Common Vulnerability Scoring System (CVSS) of severity Critical and High are reported here.
|date||CVE||description||versions||Risk for Deltares Open Archive||JIRA||upgrade strategy|
|An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container||up to 202301||False positive. Users in thredds are not allowed to upload velocity templates.||FEWS-29325|
|november 2018||CVE-2018-1258||Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.||up to 202301||False positive. Spring security is not used.|
|February 2020||CVE-2016-1000027||Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.||up to 202301||False positive. Java is not used for deserialization.|
|A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.||up to 202301||False positive. Parsing is internally handled by THREDDS.|
|A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.||up to 202301||False positive. XML to json is not used in THREDDS.|
FEWS-29340 and FEWS-29342
|An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.||up to 202301||False positve. THREDDS is not vulnerable for this type of attack.|
Apache Tomcat CVE score Critical and High
|date||CVE||description||versions||Risk for Delft-FEWS||JIRA||upgrade strategy|
|May 2023||CVE-2022-28079||The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.|
Upgrade to latest version of Apache Tomcat.
Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.