Delft-FEWS uses third party libraries and analyses these libraries using the OWASP dependency check tool. See: https://owasp.org/www-project-dependency-check/
This page keeps track of known CVE issues in libraries that are distributed with Delft-FEWS and the upgrade strategy of these libraries.
Only CVE issues of severity Critical and High are reported here.
| CVE | library | description | Risk for Delft-FEWS | JIRA | upgrade strategy |
|---|---|---|---|---|---|
| CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Limited risk, since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used and can be removed. | FEWS-25546 - Getting issue details... STATUS | phase out the xfire library, that has a dependency on jdom. XFire is used in:
|
| CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. | FEWS-25545 - Getting issue details... STATUS | Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 |
| CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server and doesn't have Field Level or Document Level Seurity disabled. As long as the provided settings are not changed, there is no risk. | FEWS-25543 - Getting issue details... STATUS | False alarm. No need to upgrade since the archive server configuration is correct. Once a fix is available we can upgrade the jar to avoid this false alarm. |
| CVE-2018-1258 | spring-security-core-5.4.8.jar, spring-security-oauth2-core-5.4.8.jar | Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. | False alarm. Spring security is used in the Admin Interface, but doesn't use version 5.0.5 of the spring framework, but a higher version. | FEWS-25865 - Getting issue details... STATUS | False alarm. No action required. Once a fix is available we can upgrade the jar to avoid this false alarm. |
| CVE-2021-42340 | tomcat-embed-core-9.0.50.jar | The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. | False alarm. Delft-FEWS web applications don't use web sockets. | FEWS-26049 - Getting issue details... STATUS | False alarm. Upgrade in development only to latest tomcat 9 release. |
| CVE-2021-21290 en CVE-2021-21295 | Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user. | False alarm. No multipart is used. | False alarm. Upgrade in development to latest release. |
