Delft-FEWS uses third party libraries and analyses these libraries using the OWASP dependency check tool. See: https://owasp.org/www-project-dependency-check/
This page keeps track of known CVE issues in libraries that are distributed with Delft-FEWS and the upgrade strategy of these libraries.
Only CVE issues of severity Critical and High are reported here.
| CVE | library | description | Risk for Delft-FEWS | JIRA | upgrade strategy | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Limited risk, since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used and can be removed. |
| phase out the xfire library, that has a dependency on jdom. XFire is used in:
| ||||||||||
| CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. |
| Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 | ||||||||||
| CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. |
| False alarm. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm. | ||||||||||
| CVE-2018-1258 | spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | False alarm. Spring security is used in the Admin Interface, but doesn't use version 5.0.5 of the spring framework, but a higher version. |
| False alarm. No action required. Once a fix is available we can upgrade the jar to avoid this false alarm. |