Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1229

Update PostgreSQL JDBC Driver to 42.3.3 due to 3rd-party vulnerability issue GHSA-673j-qm5f-xpv8

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 1.13.12, 2.2.1
    • 1.13.13, 2.2.2
    • None
    • None
    • GHSA-673j-qm5f-xpv8

    Description

      Current Situation

      • JS7 (JobScheduler branch 2.x) Agent and JOC Cockpit Web Services ship with the PostgreSQL JDBC Driver 42.2.19.
      • JS1 (JobScheduler branch 1.x) Master, Agent and JOC Cockpit Web Services ship with PostgreSQL JDBC Driver 42.2.25.
      • A vulnerability communicated by a GitHub security advisory affects this version,
      • PostgreSQL JDBC Drivers are available from https://jdbc.postgresql.org/download.html
      • Risk Mitigation
        • The issue is rated moderate by GHSA standard and the producers of the driver. However the producers do not consider the vulnerability a security issue.

      Risk Mitigation

      • Download the PostgreSQL JDBC Driver 42.3.3 from https://jdbc.postgresql.org/download.html
      • JS7 (branch 2.x)
        • JOC Cockpit and the Agent make use of the PostgreSQL JDBC Driver.
        • Installation On Premises
          • JOC Cockpit 
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • copy postgresql-42.3.3.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent
        • Installation for Docker Containers
          • stop JOC Cockpit
          • add postgresql-42.3.3.jar to the ./config/lib directory
          • start JOC Cockpit
      • JS1 (branch 1.x)
        • JOC Cockpit, Master and Agent make use of the PostgreSQL JDBC Driver
        • Installation On Premises
          • JOC Cockpit
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • add postgresql-42.3.3.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
          • Master
            • stop the Master
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Master
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent

      Desired Behavior

      • Due to a vulnerability Issue of older postgresql driver releases JS7 and Job Scheduler 1 should use the current version 42.3.3 that fixes the issue.

      Attachments

        Issue Links

          Activity

            People

              sp Santiago Aucejo Petzoldt
              sp Santiago Aucejo Petzoldt
              Kanika Agrawal Kanika Agrawal
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: