Uploaded image for project: 'JOC - JobScheduler Operations Center'
  1. JOC - JobScheduler Operations Center
  2. JOC-1435

Update PostgreSQL JDBC Driver to 42.4.3 dut to 3rd Party vulnerability CVE-2022-41946

    XMLWordPrintable

Details

    • Fix
    • Status: Released (View Workflow)
    • Minor
    • Resolution: Fixed
    • 1.13.16, 2.5.0
    • 1.13.17, 2.5.1
    • None
    • None
    • CVE-2022-41946

    Description

      Current Situation

      JS7 JOC Cockpit and JobScheduler 1 Master, Agent and JOC Cockpit use PostgreSQL 42.4.1 which is affected by a vulnerability, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41946 .

      As the maintainer of the PostgreSQL driver states: "This is purely an information disclosure vulnerability.",

      • JobScheduler 1.13.x Master:
        • We rate this vulnerability as medium as it depends on the customer's environment, e.g. if our software runs on a Linux system available to other untrusted users.
      • JobScheduler 1.13.x Agent and JOC Cockpit and JS7 JOC Cockpit:
        • We rate this vulnerability as low as these components do not make use of the default Linux /tmp directory. 

      Risk Mitigation

      • Download the PostgreSQL JDBC Driver 42.4.3 from https://jdbc.postgresql.org/
      • JS7 (branch 2.x)
        • JOC Cockpit and the Agent make use of the PostgreSQL JDBC Driver.
        • Installation On Premises
          • JOC Cockpit 
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • copy postgresql-42.4.3.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.4.3.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.4.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent
        • Installation for Docker Containers
          • stop JOC Cockpit
          • add postgresql-42.4.3.jar to the ./config/lib directory
          • start JOC Cockpit
      • JS1 (branch 1.x)
        • JOC Cockpit, Master and Agent make use of the PostgreSQL JDBC Driver
        • Installation On Premises
          • JOC Cockpit
            • stop JOC Cockpit
            • remove available postgresql*.jar files from the JETTY_BASE/lib/ext/joc directory
            • add postgresql-42.4.3.jar to the JETTY_BASE/lib/ext/joc directory
            • start JOC Cockpit
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.4.3.jar
          • Master
            • stop the Master
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.4.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Master
            • as an alternative users can reinstall JOC Cockpit and specify the JDBC Driver from postgresql-42.4.3.jar
          • Agent
            • stop the Agent
            • remove available postgresql*.jar files from the SCHEDULER_HOME/lib/jdbc directory
            • add postgresql-42.4.3.jar to the SCHEDULER_HOME/lib/jdbc directory
            • start the Agent

      Desired Behavior

      JS7 JOC Cockpit and JobScheduler 1 Master, Agent and JOC Cockpit should use 42.4.3 which resolves the issue.

       

      Attachments

        Activity

          People

            oh Oliver Haufe
            sp Santiago Aucejo Petzoldt
            Pratishtha Pandey Pratishtha Pandey
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: