...
| CVE | library | description | risk for Delft-FEWS | JIRA | upgrade strategy | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | The risk is limited since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used. |
| phase out xfire. This is used in:
| ||||||||||
| CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. |
| Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 | ||||||||||
| CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server, doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. |
| No need to upgrade since the archive server configuration is correct. |
...