Details
-
Feature
-
Status: Released (View Workflow)
-
Major
-
Resolution: Fixed
-
1.13.0, 2.0.0
-
None
-
CVE-2017-1000190, CVE-2017-14868
Description
Current Situation.
- Vulnerabilities
- The simple-xml (org.simpleframework) 3rd-party library is subject to the vulnerabilities CVE-2017-1000190 and CVE-2017-14868
- No active development or support for the 3rd-party library can be observed. As a result at the time of writing no fixed version is available.
- Risk Mitigation
- The library is used for access to a KeePass Credential Store in JS7 Agents. A direct exploit cannot be observed.
- However, due to the fact that the library is used for access to secrets it is not recommended to continue use of the library.
- Users can remove the library if they do not make use of the Credential Store feature. For details how to remove this feature see JS7 - Package Management
Desired Behavior
- SOS removes the library from future releases and implements a replacement.
Test Instructions
- Test Database Access
- see Using a Credential Store for Database Access with Hibernate
- configure the hibernate.cfg.xml configuration file and perform testing on the JS1 Master Installer, JS7 JOC-Cockpit Installer
- Test JITL Jobs
- see JS7 - Use of Credential Store with JITL Jobs
- additionally, perform testing on the corresponding JS1 Jobs
- see JS7 - Use of Credential Store with JITL Jobs
- Test Shell Jobs
- Test YADE
- see Using Credential Store to securely store authentication, connection and other parameters
- please ensure to test the functionality of the cs://<...>@attachment feature for the AuthenticationFile as well.
- see Using Credential Store to securely store authentication, connection and other parameters
- Perform testing on the JS7 Notification Interface with Mail Fragments that make use of Job Resources and Credential Store.
Attachments
Issue Links
- relates to
-
-
- Released
-