Details
-
Fix
-
Status: Released (View Workflow)
-
Minor
-
Resolution: Fixed
-
1.12.13, 1.13.5
-
None
-
None
-
CVE-2022-23437
Description
Current Situation
- Currently JobScheduler Master, Agent and JOC Cockpit Web Services ship with xerces 2.12.0.
- a vulnerability affect this version,
Desired Behavior
- Due to a vulnerability Issue of older xerces releases JobScheduler Master, Agent and JOC Cockpit Web Service should use the current version 2.12.2 that fixes the issue.
Workaround
- The Apache Xerces Project provides updated java libraries.
- The updated libraries are also provided via Maven and other build tools, e.g. Maven Central Search engine .
- xercesImpl-2.12.2.jar
- JS1 JobScheduler (releases 1.12.13, 1.13.5 and newer)
- Master
- remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
- xercesImpl-2.12.0.jar or any version before 2.12.2
- add the updated library xercesImpl-2.12.2.jar
- remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
- Agent
- remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
- xercesImpl-2.12.0.jar or any version before 2.12.2
- add the updated library xercesImpl-2.12.2.jar
- remove the following libraries from directory: SCHEDULER_HOME/lib/3rd-party
- JOC
- unpack the file JETTY_BASE/webapps/joc.war to a temporary folder or open it with a zip tool
- remove the following libraries from directory: WEB-INF/lib
- xercesImpl-2.12.0.jar or any version before 2.12.2
- add the updated library xercesImpl-2.12.2.jar to the directory: WEB-INF/lib
- re-pack the temporary folder and overwrite JETTY_BASE/webapps/joc.war with the update file of the same name
- Master
Attachments
Issue Links
- is related to
-
-
- Released
-