Delft-FEWS uses third party libraries and analyses these libraries using the OWASP dependency check tool. See: https://owasp.org/www-project-dependency-check/
This page keeps track of known CVE issues in libraries that are distributed with Delft-FEWS and the upgrade strategy of these libraries.
Only CVE issues of severity Critical and High are reported here.
CVE | library | description | risk for Delft-FEWS | JIRA | upgrade strategy |
---|---|---|---|---|---|
CVE-2021-33813 | jdom.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | The risk is limited since the embeded PI service is not a public facing webservice and the alarm module only uses the library in the client. For most Delft-FEWS users, the library is never used. | FEWS-25546 - Getting issue details... STATUS | phase out xfire. This is used in:
|
CVE-2021-33813 | jdom-2.02.jar | An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. | Might be used in imports that use opendap. But since the library is not used in a service component, the risk is limited. | FEWS-25545 - Getting issue details... STATUS | Dependency of ucar netcdf libraries. JDOM is not actively being developed, but there seems to be work on a fix. See: https://github.com/hunterhacker/jdom/issues/189 |
CVE-2019-7611 | elasticsearch-core-6.4.3.jar | A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used | Elastic search as distributed as part of the archive server, doesn't have Field Level or Document Level Seurity disabled. | No need to upgrade since the archive server configuration is correct. |