...
| CVE | library | description | risk for Delft-FEWS | JIRA | upgrade strategy | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | The risk is limited since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used. |
| phase out xfire. This is used in:
| ||||||||||
| CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. |
| Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 | ||||||||||
| CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server, doesn't have Field Level or Document Level Seurity disabled. |
| No need to upgrade since the archive server configuration is correct. |
...