...
This page keeps track of known CVE issues in libraries that are distributed with Delft-FEWS and the upgrade strategy of these libraries. The Common Vulnerability Scoring System (CVSS) of severity Critical and High are reported here.
date | CVE | library | description | versions | Risk for Delft-FEWS | JIRA | upgrade strategy |
---|
July 36401gtcomplex311.jarGeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions... A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.FEWS uses the Geotools library, not GeoServer, the WFS (Web Feature server) implementation in FEWS is a 'Simple" profile implementation of the WFS standard which is read-only, does not include XPath expression and does not use the vulnerable gt-complex-x.y.jar library reported here, Therefore this is considered a false positiveDOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.
This is apparently embedded in the swagger test pages provided for testing of the FEWS webservices. These pages should never be open to untrusted/public input so the swagger library has been updated in 2024.02 but is considered a false positive. | 2021.02 - 2024.01 | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee, |
---|
|
|
2021-02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution | columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
27037 | False positive, no action required |
February 202237434CVE2002-0059CVE-2018-25032
zlib1.dll | Several security issues in zlib versions 1.2.12 and earlier are reported. FEWS uses a more recent version (1.2.13 - 1.3.1) but apparently the OWASP dependency checker is not able to detect this, therefore we consider this a false alarm. | 2022.02 - current | False positive | complex-31.1.jar | GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions... A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
FEWS uses the Geotools library, not GeoServer, the WFS (Web Feature server) implementation in FEWS is a 'Simple" profile implementation of the WFS standard which is read-only, does not include XPath expression and does not use the vulnerable gt-complex-x.y.jar library reported here, Therefore this is considered a false positive
| 2021-02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype |
---|
|
|
Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution | columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
27692 | False positive, no action required |
December 2023202246337derby-10.16.1.1.jar | A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server.
FEWS only uses embedded Derby in local Standalone-installations, embedded Derby does not support LDAP and is not accessible over a network in such configurations. Therefore this warning can safely be discarded as a false positive. | 2021.02 - current | bcprov-jdk15-*.jar | The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS only allows the use of certificates from a local truststore which is managed by the system administrators, so the scenario where a certificate is "imported does not apply. Therefore we consider this a false positive. | 2021.02 - 2024.01 | false |
False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
30391 | False positive, no action required |
November 202336052azurecore*.jarazure-identity-*.jarAzure CLI REST Command Information Disclosure Vulnerability
The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update. | 2032.02 - current | This is a very specific use case where the role these Java libraries could play is not clear. FEWS is not using this library in the context of a CLI or Github actions so this OWASP alert is considered a false positive.9.2*.jar | In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component. This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS does not use the PBKDF2 component for password decryption. Therefore we consider this a false positive. | 2022.02 - 2024.01 | false positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
30379 Jira |
---|
server | Deltares Issue Tracker |
---|
| False positive, no action required |
February 2024 | CVE-2022-37434 CVE-2002-0059 CVE-2018-25032 | zlib1.dll | Several security issues in zlib versions 1.2.12 and earlier are reported. FEWS uses a more recent version (1.2.13 - 1.3.1) but apparently the OWASP dependency checker is not able to detect this, therefore we consider this a false alarm. | 2022.02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary, |
---|
|
|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution | columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
30236 | False positive, no action required |
November 202336415azure-identity-*Azure Identity SDK Remote Code Execution VulnerabilityAbove is the only information supplied
For the current 1.11.0 version we consider this a false alert for a vulnerability that needs to be addressed in the .net based Azure SDK. so it will be suppressed, specifically for CVE-2023-36415 | A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server.
FEWS only uses embedded Derby in local Standalone-installations, embedded Derby does not support LDAP and is not accessible over a network in such configurations. Therefore this warning can safely be discarded as a false positive. | 2021.02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
30236October | False positive, no action required |
November 2023 | CVE-2023- |
45853zlib1.dll libz.so.1.2.13 | MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.The main author, Mark Adler states (github):Minizip is not part of zlib. The source code is provided in the contrib directory of the zlib distribution, along with several other such contributions, as a courtesy. This is not a zlib vulnerability.Additionally, zlib.def has been checked to verify that at least the windows version contains no minizip methods.36052 | azure-core-*.jar azure-identity-*.jar
| Azure CLI REST Command Information Disclosure Vulnerability
The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update. | 2032.02 - current | This is a very specific use case where the role these Java libraries could play is not clear. FEWS is not using this library in the context of a CLI or Github actions so this OWASP alert is considered a false positive. | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype |
---|
|
|
2022.02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution | columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
27692False positive, no action required. | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-30236 |
---|
|
| False positive, no action required |
November 2023 | CVE-2023-36415 | azure-identity-*.jar | Azure Identity SDK Remote Code Execution Vulnerability
Above is the only information supplied
For the current 1.11.0 version we consider this a false alert for a vulnerability that needs to be addressed in the .net based Azure SDK. so it will be suppressed, specifically for CVE-2023-36415 | 2021.02 - current | False positive | |
October 2023 | CVE-2023-4586 | netty-transport-4.1.91.Final.jar netty-all-4.1.79.Final.jar | A vulnerability was found in the Hot Rod client provided by the Netty library. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. Netty is used by FEWS in the context of Microsoft Azure (AzureIotHub import) and THREDDS which is used by the archive server. Hot Rod is a very specific TCP client server protocol used by the Jboss Infinispan product. There is no indication of any kind that the Hot Rod protocol is used by FEWS or THREDDS in any way so this is considered a false positive warning. | 2020.02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker | columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
26050False positive. No action required.September 34040spring-boot-3.0.7.jar | In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true: - The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record - The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true. - The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record. Two out of three conditions mentioned in the description are not met in the case of FEWS. This library is currently only used for the admin interface, which should never be made available for use by "untrusted sources" over the internet. | 2020.02 - 2023.01 | False positive | 45853 | zlib1.dll libz.so.1.2.13 | MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.
The main author, Mark Adler states (github): Minizip is not part of zlib. The source code is provided in the contrib directory of the zlib distribution, along with several other such contributions, as a courtesy. This is not a zlib vulnerability. Additionally, zlib.def has been checked to verify that at least the windows version contains no minizip methods. | 2022.02 - current | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds |
---|
|
|
Jira |
---|
server | Deltares Issue Tracker |
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
29191. No Februari 25158gt264.jargt-20.0net.opengis.fes-20.0.jarThe GeoTools implementation of the OpenGIS Filter Encoding Standard (FES) has been found to contain SQL Injection Vulnerabilities when executing OGC Filters with JDBCDataStore implementations. Delft-FEWS has no such JDBCDataStore implementation and the Filter functionality has been included only to support a client side implementation of the OpenGIS WFS interface. FEWS only uses this to implement OpenGIS WFS viewing capability, no server side WFS or FES implementation that could be prone to SQL injection exists in FEWS. | netty-all-4.1.79.Final.jar | A vulnerability was found in the Hot Rod client provided by the Netty library. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack. Netty is used by FEWS in the context of Microsoft Azure (AzureIotHub import) and THREDDS which is used by the archive server. Hot Rod is a very specific TCP client server protocol used by the Jboss Infinispan product. There is no indication of any kind that the Hot Rod protocol is used by FEWS or THREDDS in any way so this is considered a false positive warning. | 2020.02 - current |
2019-02 -2022.02 | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
27037 | False positive. No action required.
|
December 202220164432qpidjmsclient-51.0-pThe AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. Delft-FEWS only uses the client, not the AMQP server. | 2021.01 - current | False Positive. | Jira |
---|
server | Deltares Issue Tracker |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-28377 |
---|
|
| False positive. No action required. Jar file can be removed from bin folder if the Azure IOT Hub import is not used. See also AzureIotHub | Oct 2022 | CVE-2022-41853 | hsqldb-2.*.jar | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution.Delft FEWS does not allow any 'untrusted' input to be used in SQL statements, so this is considered a false positive.In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true: - The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record - The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true. - The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record. Two out of three conditions mentioned in the description are not met in the case of FEWS. This library is currently only used for the admin interface, which should never be made available for use by "untrusted sources" over the internet. | 2020.02 - 2023.01 |
2021.02 - 2022.02 | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
318202023.01 and later have been upgraded to version 2.7.2 | Oct 2022 | CVE-2022-41404 | ini4j-0.5.4.jar | An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. | 2022.02 and earlier | False positive | False positive, the report mentions that version 0.5.4 fixes the problem yet the scanners still flags the current version. Also this is only used in adapters where "unspecified vectors" are extremely unlikely to play any role. | False positive. No action required.
|
Februari 2023 | CVE-2023-25158 | gt-26.4.jar gt-20.0.jar net.opengis.fes-20.0.jar | The GeoTools implementation of the OpenGIS Filter Encoding Standard (FES) has been found to contain SQL Injection Vulnerabilities when executing OGC Filters with JDBCDataStore implementations. Delft-FEWS has no such JDBCDataStore implementation and the Filter functionality has been included only to support a client side implementation of the OpenGIS WFS interface. FEWS only uses this to implement OpenGIS WFS viewing capability, no server side WFS or FES implementation that could be prone to SQL injection exists in FEWS. | 2019-02 - 2022.02 | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-27037 |
---|
|
| False positive. No action required.
|
December 2022 | CVE-2016-4432 | qpid-jms-client-0.51.0-p.jar | The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. Delft-FEWS only uses the client, not the AMQP server. | 2021.01 - current | False Positive. |
Feb 2023
August 2022
CVE-2022-31197 | postgresql-42.4.1.jar postgresql-42.3.3.jar | PG 42.3.3 was flagged in Aug 2022. PG 42.4.1 was flagged only since Feb 2023. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. | 2022.01 - 2022.02 | False Positive. PgResultSet#refreshRow() is not used | Jira |
---|
server | Deltares Issue Tracker |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
28737 Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
| False positive. No action required. Jar file can be removed from bin folder if the Azure IOT Hub import is not used. See also AzureIotHub |
Oct 2022 | CVE-2022-41853 | hsqldb-2.*.jar | Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution.
Delft FEWS does not allow any 'untrusted' input to be used in SQL statements, so this is considered a false positive. | 2021.02 - 2022.02 | False positive | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate |
---|
|
|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution | columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
27632False positive. 2022.02 and | 2023.01 and later have been upgraded to |
4253.May 20161000027springcore-3.19The spring framework allows to use a http invoker that uses object serialization that may be vulnerable for Remote Code Execution. https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker. | 2022.01 - 2019.02 | Only used in Admin interface where the described scenario is not used. Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-27230 |
---|
|
| False positive. The HTTP Invoker method that is vulnerable is not used in any of the Delft-FEWS components. Upgrading won't help either since it won't be removed from the library. It has been marked as deprecated and will be removed in spring 6. | Mar 2022 | CVE-2022-26336 | poi-scratchpad 5.2 | A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. | 2021.02 only | False positive. FEWS uses some of the Apache POI library (for the interval statistics dialog) but not the scratchpad, which is in a separate jar file.An issue in the fetch() method in the BasicProfile class of org.ini4j before v0.5.4 allows attackers to cause a Denial of Service (DoS) via unspecified vectors. | 2022.02 and earlier | False positive | | False positive, the report mentions that version 0.5.4 fixes the problem yet the scanners still flags the current version. Also this is only used in adapters where "unspecified vectors" are extremely unlikely to play any role. |
Feb 2023 August 2022
| CVE-2022-31197 | postgresql-42.4.1.jar postgresql-42.3.3.jar | PG 42.3.3 was flagged in Aug 2022. PG 42.4.1 was flagged only since Feb 2023. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. | 2022.01 - 2022.02 | False Positive. PgResultSet#refreshRow() is not used | Jira |
---|
server | Deltares Issue Tracker |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-28737 |
---|
|
Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
26865. Upgrade in development to latest release.. 2022.02 and 2023.01 have been upgraded to 42.5.3.
|
May |
Feb 202221724postgresql42222A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. | 2021.02 - 2022.01 | PG jdbc database url manipulation enables code execution loaded via arbitrary classes.
| The spring framework allows to use a http invoker that uses object serialization that may be vulnerable for Remote Code Execution. https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker. | 2022.01 - 2019.02 | Only used in Admin interface where the described scenario is not used. | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
26908Upgrade to postgresql-42.3.3.jar | Nov 2021 | CVE-2021-43466 | thymeleaf-3.0.12.RELEASE.jar | In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution. Comment of Thymeleaf developer: I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered | Only used in Admin interface where the described scenario is not used. | Jira |
---|
server | Deltares Issue Tracker |
---|
| False positive. The HTTP Invoker method that is vulnerable is not used in any of the Delft-FEWS components. Upgrading won't help either since it won't be removed from the library. It has been marked as deprecated and will be removed in spring 6. |
Mar 2022 | CVE-2022-26336 | poi-scratchpad 5.2 | A shortcoming in the HMEF package of poi-scratchpad (Apache POI) allows an attacker to cause an Out of Memory exception. This package is used to read TNEF files (Microsoft Outlook and Microsoft Exchange Server). If an application uses poi-scratchpad to parse TNEF files and the application allows untrusted users to supply them, then a carefully crafted file can cause an Out of Memory exception. This issue affects poi-scratchpad version 5.2.0 and prior versions. Users are recommended to upgrade to poi-scratchpad 5.2.1. | 2021.02 only | False positive. FEWS uses some of the Apache POI library (for the interval statistics dialog) but not the scratchpad, which is in a separate jar file. | Jira |
---|
server | Deltares Issue Tracker |
---|
|
|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
26228 No action required. Once version 3.0.13 is available we can upgrade the jar to avoid this false alarm.Oct 2021 Jan 2022 | Upgrade in development to latest release. |
Feb 2022 |
CVE-2021-42340,23181tomcat-embed-core-9.0.50.jar | The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. | 2021.02 - 2022.02 | False positives. Delft-FEWS web applications don't use web sockets and doesn't use session persistence with the FileStorage. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26049 |
---|
|
| False positives Upgrade in development only to latest tomcat 9 release. | Oct 2021 | CVE-2021-37136,
CVE-2021-37137
netty-all-4.1.48.Final.jar | The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. and The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. | False alarm. Bzip decoder is not used. Excessive memory usage might lead to a failing FSS in the worst case. Since the Azure IOT Hub is quite well secured, the risk is limited. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26050 |
---|
|
False positive. Upgrade in development to latest release. | Jun 2021 | CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limitedpostgresql-42.2.22.jar | A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. | 2021.02 - 2022.01 | PG jdbc database url manipulation enables code execution loaded via arbitrary classes. | Jira |
---|
server | Deltares Issue Tracker |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26908 |
---|
|
| Upgrade to postgresql-42.3.3.jar |
Nov 2021 | CVE-2021-43466 | thymeleaf-3.0.12.RELEASE.jar | In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution. Comment of Thymeleaf developer: I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered |
| Only used in Admin interface where the described scenario is not used. | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26228 |
---|
|
| False positive. No action required. Once version 3.0.13 is available we can upgrade the jar to avoid this false alarm. |
Oct 2021 Jan 2022 | CVE-2021-42340,
CVE-2022-23181 | tomcat-embed-core-9.0.50.jar | The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore. | 2021.02 - 2022.02 | False positives. Delft-FEWS web applications don't use web sockets and doesn't use session persistence with the FileStorage. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS- |
---|
|
|
25545Dependency of ucar netcdf libraries. JDOM library has been upgraded to: jdom2-2.0.6.1.jar since 2022.01.
Oct 2020 | CVE-2017-9096 | iText-2.1.3.jar | The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF. | This library is used only to export timeseries charts and to index PDF help files that are distributed with Delft-FEWS. Untrusted content will never be opened using iText so this is considered a false positive | False positives Upgrade in development only to latest tomcat 9 release. |
Oct 2021 | CVE-2021-37136, CVE-2021-37137
| netty-all-4.1.48.Final.jar | The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. and The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk. |
| False alarm. Bzip decoder is not used. Excessive memory usage might lead to a failing FSS in the worst case. Since the Azure IOT Hub is quite well secured, the risk is limited. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-26050 |
---|
|
| False positive. Upgrade in development to latest release. |
Jun 2021 | CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. |
| Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25545 |
---|
|
| Dependency of ucar netcdf libraries. JDOM library has been upgraded to: jdom2-2.0.6.1.jar since 2022.01.
|
Oct 2020 | CVE-2017-9096 | iText-2.1.3.jar | The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF. |
| This library is used only to export timeseries charts and to index PDF help files that are distributed with Delft-FEWS. Untrusted content will never be opened using iText so this is considered a false positive. | Jira |
---|
server | Deltares Issue Tracker |
---|
columnIds | issuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-31666 |
---|
|
| False positive, upgrading this would require a commercial version that may not be backwards compatible,. |
Mar 2019 | CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used |
| Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25543 |
---|
|
| False positive. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm. |
May 2018 | CVE-2018-1258 | spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization |
| False alarm. Spring security is used in the Admin Interface, but doesn't use version 5.0.5 of the spring framework, but a higher version. | Jira |
---|
server | Deltares Issue Tracker |
---|
|
|
columnIdsissuekeyissuetypeduedatedue,assignee,reporter,priority,status,resolution |
|
|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-31666 |
---|
False positive, upgrading this would require a commercial version that may not be backwards compatible,. | Mar 2019 | CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. | Jira |
---|
server | Deltares Issue Tracker |
---|
columns | key,summary,type,created,updated,due,assignee,reporter,priority,status,resolution |
---|
serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25543 |
---|
|
| False positive. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm. | May 2018 | CVE-2018-1258 | spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. CWE-863 Incorrect Authorization | serverId | 20635570-6a34-3a69-a785-26a57a470c5b |
---|
key | FEWS-25865 |
---|
|
| False positive. No action required. Once a fix is available we can upgrade the jar to avoid this false alarm. |
...
...
...
...