Page History

...

Only CVE issues of severity Critical and High are reported here.

CVE

file

description

risk for Delft-FEWS

JIRA

upgrade strategy

CVE-2021-33813

jdom.jar

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

The risk is limited since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used.

Jira

server	Deltares Issue Tracker
serverId	20635570-6a34-3a69-a785-26a57a470c5b
key	FEWS-25546

phase out xfire. This is used in:

embedded PI service. Has been deprecated and will be replaced with a new implemenation. https://issuetracker.deltares.nl/browse/FEWS-22053
Alarm module. Master controller calls Alarm Module soap service to sent events. This should be replaced by a new implementation: https://issuetracker.deltares.nl/browse/FEWS-25861

CVE-2021-33813

jdom-2.02.jar

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited.

Jira

server	Deltares Issue Tracker
columns	key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId	20635570-6a34-3a69-a785-26a57a470c5b
key	FEWS-25545

Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See:

https://github.com/hunterhacker/jdom/issues/189

Page tree

Versions Compared

Old Version 3

New Version 4

Key