CVE | library | description | Risk for Delft-FEWS | JIRA | upgrade strategy |
---|
CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Limited risk, since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used and can be removed. | Jira |
---|
server | Deltares Issue Tracker |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25546 |
---|
|
| phase out the xfire library, that has a dependency on jdom. XFire is used in: |
CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25545 |
---|
|
| Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189
|
CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25543 |
---|
|
| False alarm. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm. |
CVE-2018-1258 | spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization | False alarm. Spring security is used in the Admin Interface, but doesn't use version 5.0.5 of the spring framework, but a higher version. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25865 |
---|
|
| False alarm. No action required. Once a fix is available we can upgrade the jar to avoid this false alarm. |
CVE-2021-42340 | tomcat-embed-core-9.0.50.jar | The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. | False alarm. Delft-FEWS web applications don't use web sockets. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26049 |
---|
|
| False alarm. Upgrade in development only to latest tomcat 9 release. |