Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
1.13.12, 2.2.1
-
None
-
None
-
GHSA-673j-qm5f-xpv8
Description
Current Situation
- JS7 (JobScheduler branch 2.x) Agent and JOC Cockpit Web Services ship with the PostgreSQL JDBC Driver 42.2.19.
- JS1 (JobScheduler branch 1.x) Master, Agent and JOC Cockpit Web Services ship with PostgreSQL JDBC Driver 42.2.25.
- A vulnerability communicated by a GitHub security advisory affects this version,
- see https://github.com/advisories/GHSA-673j-qm5f-xpv8 for more information on the impact.
- No CVE-ID has been registered.
- PostgreSQL JDBC Drivers are available from https://jdbc.postgresql.org/download.html
- Risk Mitigation
- The issue is rated moderate by GHSA standard and the producers of the driver. However the producers do not consider the vulnerability a security issue.
Risk Mitigation
- Download the PostgreSQL JDBC Driver 42.3.3 from https://jdbc.postgresql.org/download.html
- JS7 (branch 2.x)
- JOC Cockpit and the Agent make use of the PostgreSQL JDBC Driver.
- Installation On Premises
- JOC Cockpit
- stop JOC Cockpit
- remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
- copy postgresql-42.3.3.jar to the JETTY_BASE/lib/ext/joc directory
- start JOC Cockpit
- as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
- Agent
- stop the Agent
- remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
- add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
- start the Agent
- JOC Cockpit
- Installation for Docker Containers
- stop JOC Cockpit
- add postgresql-42.3.3.jar to the ./config/lib directory
- start JOC Cockpit
- JS1 (branch 1.x)
- JOC Cockpit, Master and Agent make use of the PostgreSQL JDBC Driver
- Installation On Premises
- JOC Cockpit
- stop JOC Cockpit
- remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
- add postgresql-42.3.3.jar to the JETTY_BASE/lib/ext/joc directory
- start JOC Cockpit
- as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
- Master
- stop the Master
- remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
- add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
- start the Master
- as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.3.3.jar
- Agent
- stop the Agent
- remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
- add postgresql-42.3.3.jar to the SCHEDULER_HOME/lib/jdbc directory
- start the Agent
- JOC Cockpit
Desired Behavior
- Due to a vulnerability Issue of older postgresql driver releases JS7 and Job Scheduler 1 should use the current version 42.3.3 that fixes the issue.
Attachments
Issue Links
- mentioned in
-
Page Loading...