/
P1 Security Vulnerability Remediation Options

P1 Security Vulnerability Remediation Options

Context

When a P1 (critical priority) security vulnerability is discovered in an unsupported version of a library or framework dependency that Ramsons is using, stakeholders must evaluate multiple remediation paths. These options helps determine the appropriate response based on impact, cost, and organizational responsibilities.

Applicable to dependencies including: Spring framework, Vert.x, PostgreSQL, Kafka, React, Node.js, and other third-party libraries used in FOLIO modules. Check https://folio-org.atlassian.net/wiki/x/8RxN for supported dependencies.

Remediation Options

Impact Assessment - High Impact

  • Requires code refactoring for compatibility across all affected modules

  • Extensive regression testing (all modules using dependency). Testing in snapshot and BugFest environments required

  • Potential breaking changes in APIs and interfaces

  • Development timeline: 6-9 months typical (based on Java 17, Spring Boot 3.0)

  • Risk of introducing new bugs during migration

  • Infrastructure components (PostgreSQL, Kafka) require stakeholder consensus

  • May require cascading upgrades (e.g., Spring Boot 3.0 requires Java 17)

Cost Estimate - High Cost

  • Development effort: High (multiple teams if widely-used dependency)

  • Testing resources: Extensive

  • Potential for delayed release timeline

  • Estimated: $$-$$$ (varies by dependency scope)

Ownership/Responsible Party - Development Teams (Primary)

  • Module owners implement changes in their modules

  • Security Team assesses vulnerability risk and validates fixes

  • DevOps updates CI/CD pipelines and reference environments

  • Release Management Stakeholders approve timeline adjustments if needed

Impact Assessment - Very High Impact & Risk

  • Requires deep knowledge of library/framework internals (Spring, Vert.x, PostgreSQL source code)

  • Modifies core dependency code - creates "fork" of upstream project

  • Creates significant maintenance burden for all future dependency updates

  • Patch may conflict with future upstream changes

  • Difficult to test all edge cases and interactions

  • Ongoing responsibility to maintain patch across FOLIO releases

  • Risk of patch not addressing root vulnerability completely

Cost Estimate - High Cost + Ongoing (Recurring)

  • Initial development: Very High

  • Requires specialized external consultants with deep dependency expertise

  • Continuous maintenance cost for each FOLIO release

  • Regression testing for every dependency update

  • Documentation and knowledge transfer costs

  • Estimated: $$$+ initial, $$+ per release (recurring)

Ownership/Responsible Party - Specialized Consultants (Primary) + Development Team

  • Requires external security/dependency experts

  • Development team owns long-term patch maintenance

  • Security team validates patch effectiveness (may require external audit)

  • Hosting providers may refuse to deploy custom-patched dependencies due to risk

Impact Assessment - Medium Impact

  • Follow standard FOLIO upgrade path (e.g., Ramsons → Sunflower)

  • Includes all platform improvements and new features

  • May require configuration updates for new modules/capabilities

  • Data migration handled by tenant APIs and Liquibase

  • Testing against new FOLIO version in BugFest environment

  • Timeline: Variable - If next release available within 2-4 months, most viable option

  • FOLIO support period: ~8-12 months per release (current + previous release supported)

  • Addresses dependency issue as part of tested platform update

  • Custom modules may require compatibility updates

Cost Estimate - Medium Cost

  • Upgrade effort: Standard (well-documented process)

  • Testing: Normal release validation (leverages community BugFest testing)

  • Training on new FOLIO features and UI changes

  • Lower risk than custom solutions - tested upgrade path

  • May include accelerated timeline costs if urgent

  • Estimated: $-$$

Ownership/Responsible Party - Hosting Provider (Primary)

  • Hosting provider manages platform upgrade deployment

  • FOLIO community provides comprehensive upgrade documentation and release notes

  • Development team only involved if custom modules require updates

  • DevOps handles infrastructure component upgrades (PostgreSQL, Kafka, etc.)

  • Community participates in BugFest testing for upcoming release

Impact Assessment - Low-Medium Impact

  • Deploy compensating security controls (WAF rules, network isolation, IDS/IPS)

  • Implement enhanced monitoring and alerting for exploit attempts

  • NOT a permanent solution - only buys time for proper remediation

  • May reduce attack surface but may not fully eliminate vulnerability

  • Useful as interim measure while waiting for next FOLIO release

  • Can be deployed quickly (days to weeks vs. months for full fix)

  • Does not address root cause of vulnerability

Cost Estimate - Low-Medium Cost

  • Infrastructure security control changes: Moderate

  • Security tool configuration and rule development

  • Increased monitoring and log analysis overhead

  • Temporary measure - costs until permanent fix deployed

  • May require additional security software licenses

  • Estimated: $-$$ (one-time + operational costs until permanent fix)

Ownership/Responsible Party - Hosting Provider + Security Team (Primary)

  • Hosting provider implements infrastructure controls (network segmentation, WAF)

  • Security team defines requirements and validates effectiveness

  • Must communicate to institutions: This is temporary; permanent fix required

  • DevOps configures monitoring and alerting systems

Impact Assessment - Varies by Vulnerability

  • Requires formal risk acceptance through institutional governance

  • Continuous monitoring required for exploitation indicators

  • May violate regulatory compliance (GDPR, state privacy laws)

  • Could expose institution to data breaches, ransomware, system compromise

  • NOT recommended for P1 vulnerabilities - typically only viable for low-severity issues with strong mitigating controls

  • May trigger audit findings or regulatory sanctions

  • Could impact institution's insurance coverage and premiums

  • Reputational risk if breach occurs

Cost Estimate - Low Initial Cost, Potentially Catastrophic

  • Documentation effort: Minimal initial

  • Ongoing monitoring and log analysis

  • Potential breach costs: Data breach remediation (notification, credit monitoring, legal fees), regulatory fines, litigation, reputation damage

  • Compliance audit failures may require emergency remediation

  • Estimated: $ (initial) to $$$$+ (if exploited) - Average data breach cost >$4M

Ownership/Responsible Party - Institution Leadership + Legal + Risk Management

  • Legal and compliance review for regulatory obligations

  • Security team documents risk assessment, exploitability, potential impact

  • Risk management/audit committee may need to approve

  • NOT appropriate for P1 vulnerabilities in most institutions