Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
2.7.5, 2.8.0
-
None
-
None
-
CVE-2025-49146
Description
Current Situation
Currently JS7 JOC Cockpit ships with PostgreSQL JDBC Driver 42.7.4. This version is flagged with vulnerability CVE-2025-49146.
- We do not rate the impact of this vulnerability as it occurs outside of JS7 products in the connection between JOC Cockpit and the DBMS.
- This is a security flaw of the PostgreSQL JDBC Driver that can be resolved by updating the JDBC Driver to version 42.7.7 which fixes the issue.
- Customers should update the JDBC Driver as the issue can be exploited in any system that makes use of the vulnerable JDBC Driver version and not only when used with JS7 products.
Desired Behavior
Upgrade the PostgreSQL JDBC Driver to version 42.7.7 that resolves the issue.
Risk Mitigation
- Customers using JS7 JOC Cockpit 2.7.x or 2.8.0 can download the JDBC Driver from the DBMS vendor's download page and can update the JDBC Driver in their JOC Cockpit instance.
- JOC Cockpit stores JDBC Drivers in the <jetty-base>/lib/ext/joc directory. Users can shutdown JOC Cockpit, replace the vulnerable postgresql-42.7.4.jar file by postgresql-42.7.7.jar and start JOC Cockpit.