[JOC-2182] Drop c3p0 and mchange-common-java due to 3rd party vulnerability issues (CVE-2026-27727, CVE-2026-27830) - SOS JIRA

XML

Word

Printable

Details

Type: Fix
Status: Released (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 2.5.10, 2.5.12, 2.7.7
Fix Version/s: 2.5.13, 2.7.8, 2.8.3, 2.9.0
Component/s: None
Labels:
None

CVE-ID:
CVE-2026-27727, CVE-2026-27830

Description

Current Situation

JS7 JOC Cockpit ships with mchange-commons-java 0.3.1 and c3p0 0.10.0 (both of com.mchange group). Both libraries are affected by the vulnerablities.

These libraries are still shipped because of backward compatiblity reasons only, but are not in use anymore as HikariCP is used as the default connection pool. Therefore our application is not affected.

Desired Behavior

The libraries should be dropped and should not be shipped with the product any longer.

Workaround

User who are still using c3p0 for personal reasons as a connection pool should download and replace both librarires with newer versions that fixes the issue.
Users who cannot upgade their JS7 JOC Cockpit instance can do the following steps to get rid of the vulnerable components
- stop the JOC Cockpit service
- delete both libraries from [JETTY_BASE]/webapps/joc/WEB-INF/lib
- start JOC Cockpit service again

Attachments

Activity

People

Assignee:: Santiago Aucejo Petzoldt

Reporter:: Santiago Aucejo Petzoldt

Approver:: Santiago Aucejo Petzoldt

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24 March 2026 11:52

Updated:: 17 April 2026 17:12

Resolved:: 24 March 2026 14:32