[EDGPATRON-91] Upgrade dependencies fixing DoS and HTTP Request Smuggling - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 4.9.0
Fix Version/s: 4.9.1, 4.10.0
Labels:
- security

Template:
Sprint:
CP: sprint 142
Development Team:
Core: Platform
Release:
Morning Glory (R2 2022)
RCA Group:
Related dependency upgrade

Description

Upgrade woodstox-core from 5.0.3 to 6.2.7 fixing XML External Entity (XXE) Injection: https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754

Upgrade jackson-databind from 2.11.3 to 2.13.2.1 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2020-36518 , https://app.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698

Upgrade jackson-dataformat-cbor from 2.11.3 to 2.13.2 fixing Denial of Service (DoS): https://nvd.nist.gov/vuln/detail/CVE-2020-36518

Upgrade vertx from 4.1.0 to 4.3.1. This indirectly upgrades Netty from 4.1.65.Final to 4.1.77.Final fixing Denial of Service (DoS), HTTP Request Smuggling, and Information Exposure: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37136 , https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-37137 , https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43797 , https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24823

Upgrade aws-java-sdk-ssm from 1.11.313 to 1.12.246 fixing Information Exposure: https://security.snyk.io/vuln/SNYK-JAVA-COMMONSCODEC-561518

Also upgrade other dependencies.

TestRail: Results

Attachments

Issue Links

has to be done before

EDGPATRON-94 Release 4.9.1 for Morning Glory

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 24/Jun/22 1:36 PM

Updated:: 29/Jun/22 9:41 PM

Resolved:: 24/Jun/22 4:47 PM

TestRail: Runs

TestRail: Cases