Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1222

Update PostgreSQL JDBC Driver to 42.2.25 due to 3rd-party vulnerability issue CVE-2022-21724

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 1.13, 2.0.0
    • 1.13.12, 2.2.2
    • None
    • None
    • CVE-2022-21724

    Description

      Current Situation

      • JS7 (JobScheduler branch 2.x) Agent and JOC Cockpit Web Services ship with the PostgreSQL JDBC Driver 42.2.19.
      • JS1 (JobScheduler branch 1.x) Master, Agent and JOC Cockpit Web Services ship with PostgreSQL JDBC Driver 9.4.1209.
      • A vulnerability communicated by a GitHub security advisory affects this version,
      • PostgreSQL JDBC Drivers are available from https://jdbc.postgresql.org/download.html
      • Risk Mitigation
        • The issue is rated high by CVE and GHSA standard and medium by the producers of the driver. 
        • We rate the impact to our software as low as the attack scenario described works only in an environment where the exploit can only get active if additional supporting libraries are already present.
        • We still rate the attack scenario valid and dangerous as it became common practice for attacks to first infiltrate a system, analyze, download additional software or libraries and get active at a later time. 

      Risk Mitigation

      • Download the PostgreSQL JDBC Driver 42.2.25 from https://jdbc.postgresql.org/download.html
      • JS7 (branch 2.x)
        • JOC Cockpit and the Agent make use of the PostgreSQL JDBC Driver.
        • Installation On Premises
          • JOC Cockpit 
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • copy postgresql-42.2.25.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent
        • Installation for Docker Containers
          • stop JOC Cockpit
          • add postgresql-42.2.25.jar to the ./config/lib directory
          • start JOC Cockpit
      • JS1 (branch 1.x)
        • JOC Cockpit, Master and Agent make use of the PostgreSQL JDBC Driver
        • Installation On Premises
          • JOC Cockpit
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • add postgresql-42.2.25.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
          • Master
            • stop the Master
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Master
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.2.25.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.2.25.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent

      Desired Behavior

      • Due to a vulnerability Issue of older postgresql driver releases JS7 and Job Scheduler 1 should use the current version 42.2.25 that fixes the issue.

      Attachments

        Activity

          People

            sp Santiago Aucejo Petzoldt
            sp Santiago Aucejo Petzoldt
            Kanika Agrawal Kanika Agrawal
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: