[MODSER-1] Upgrade hibernate, postgresql, kafka, liquibase, commons-io, opencsv Created: 21/Feb/23  Updated: 20/Mar/23  Resolved: 20/Mar/23

Status: Closed
Project: mod-serials-management
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: TBD
Reporter: Julian Ladisch Assignee: Jack Golding
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to MODOA-47 Update hibernate, postgresql, kafka, ... Closed
Sprint:
Development Team: K-Int
RCA Group: Related dependency upgrade

 Description   

Upgrade dependencies that have known security vulnerabilities:

Upgrade hibernate-core from 5.4.19.Final to the latest 5.4.x version 5.4.33.Final fixing SQL Injection:
https://nvd.nist.gov/vuln/detail/CVE-2020-25638

Upgrade postgresql JDBC from 42.3.1 to latest 42.5.x fixing SQL Injection:
https://nvd.nist.gov/vuln/detail/CVE-2022-31197

postgresql 42.2, 42.3 and 42.4 have reached end of life and are unsupported, see https://jdbc.postgresql.org/download/

Upgrade kafka-clients from 2.3.0 to a fixed version >= 2.7.2 fixing a Timing Attack vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2021-38153

Upgrade liquibase-core from 3.9.0 to a fixed version >= 4.8.0 fixing an XML External Entity (XXE) Injection: https://nvd.nist.gov/vuln/detail/CVE-2022-0839

Upgrade commons-io from 2.6 to a fixed version >= 2.7 fixing Directory Traversal: https://nvd.nist.gov/vuln/detail/CVE-2021-29425

Upgrade opencsv from 4.6 to a fixed version >= 5.7.1. This indirectly upgrades commons-beanutils 1.9.3 that has Deserialization of Untrusted Data: https://nvd.nist.gov/vuln/detail/CVE-2019-10086



 Comments   
Comment by Julian Ladisch [ 21/Feb/23 ]

Please adjust the Jira as needed.

If a dependency is not upgraded because mod-serials-management is not affected by the vulnerability please add a comment why.

Comment by Jack Golding [ 22/Feb/23 ]

postgresql, kafka-clients, commons-io and opencsv have been bumped, hibernate will require a grails bump/upgrade before it can be done and liquibase will need an upgrade due to a breaking change in a minor version

Comment by Julian Ladisch [ 23/Feb/23 ]

Hi Jack,

thanks you for the fast response.

Why requires the patch version upgrade of hibernate-core from 5.4.19.Final to 5.4.33.Final a grails bump?

Comment by Jack Golding [ 23/Feb/23 ]

Hi Julian

Apologies for that, I was told that bumping hibernate-core would require a grail bump but we were under the impression that this was the minor version change to 5.6.x

The hibernate-core has now been bumped to 5.4.33.Final

Generated at Thu Feb 08 22:30:57 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.