Issues
- Update json for indirect dependenciesNMS-16572Christian Pape
- Update Snakeyaml for indirect dependenciesNMS-16570Resolved issue: NMS-16570Christian Pape
- Resolve jsoup version discrepancy seen in the dependency graphNMS-16552Resolved issue: NMS-16552Christian Pape
- Netty update of indirect dependencies to older versionNMS-16551
- Update Apache CXF to 4.0.5, 3.6.4 or 3.5.9 or to latest to fix CVE-2024-29736NMS-16550Resolved issue: NMS-16550Christian Pape
- Update proton-j to 0.34 or latest for OSGINMS-16549Resolved issue: NMS-16549Christian Pape
- Session Fixation vulnerability CWE-384 needs to be addressedNMS-16548Resolved issue: NMS-16548Christian Pape
- Update Swagger UI to version 3.23.11 or later to address CVE-2019-17495NMS-16546Resolved issue: NMS-16546Christian Pape
- Update golang.org/x/crypto to 0.17.0 or latestNMS-16516
- Update esapi version to latestNMS-16515Resolved issue: NMS-16515Christian Pape
- Update jackson-databind to version 2.13.21 to get multiple CVE fixesNMS-16512Resolved issue: NMS-16512
- PoweredBy-2023 vulnerabilities reported Sep2024
NMS-16511 - Version bump of json-libNMS-16195Resolved issue: NMS-16195
- Version bump of snappy javaNMS-16194Resolved issue: NMS-16194Benjamin Reed
- Bump to the latest netty 4 versionNMS-16193Resolved issue: NMS-16193Benjamin Reed
- Version bump of jetty to 9.4.53 versionNMS-16192Resolved issue: NMS-16192Benjamin Reed
- Update to Netty 4NMS-16184Resolved issue: NMS-16184Christian Pape
- Use a different html parser to replace jsoup and owasp functionalityNMS-16183
- Update hibernate-validator to 4.3.2NMS-16182Resolved issue: NMS-16182Christian Pape
- Integrate hibernate-core related patch from DebianNMS-16181Resolved issue: NMS-16181Benjamin Reed
- Update grpc to to the next version to address CVEsNMS-16180Resolved issue: NMS-16180Chandra Gorantla
- Backport Drools 8.x to foundation 2023 to address a couple of CVEsNMS-16179Resolved issue: NMS-16179Benjamin Reed
- PoweredBy-2023 vulnerabilities reported 3Q2023NMS-16177
- Update PoweredBy docs module to include new releasesNMS-14705Resolved issue: NMS-14705Bonnie Robinson
- Update support instructions in PoweredBy branchesNMS-14704Resolved issue: NMS-14704Bonnie Robinson
- Revive PoweredBy section in new docsNMS-14703Resolved issue: NMS-14703Benjamin Reed
- Updates to PoweredBy documentation and other resourcesNMS-14702
- Events shows interface 127.0.0.1NMS-5232Resolved issue: NMS-5232Benjamin Reed
28 of 28
Update json for indirect dependencies
Description
Acceptance / Success Criteria
None
Details
Assignee
Christian PapeChristian PapeReporter
Veena KannanVeena KannanHB Grooming Date
Oct 03, 2024HB Backlog Status
Refined BacklogSprint
NoneFix versions
Priority
High
Details
Details
Assignee
Christian Pape
Christian PapeReporter
Veena Kannan
Veena KannanHB Grooming Date
Oct 03, 2024
HB Backlog Status
Refined Backlog
Sprint
None
Fix versions
Priority
HighPagerDuty
PagerDuty
PagerDuty
Created October 3, 2024 at 7:41 PM
Updated January 22, 2025 at 2:27 PM
Activity
Show:
Christian PapeOctober 29, 2024 at 12:10 PMEdited
The JSON library is part of the Hawtio version we are using. The opennms-webapp-hawtio package can help to visualize the Camel and ActiveMQ internals. It is not installed by default.
The next version of Hawtio with a newer dependency for the JSON library will also depend on javax.servlet version 4.0.1, which - as I assume - we cannot update at this point.
Nishtha KauraOctober 8, 2024 at 1:33 PM
CVE Description: Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
Adjusting CVSS to indicate it has to be local Attack Vector in the network
CVSS v3.1 Vector
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Overall CVSS Score:
6.2 Medium
We have updated our json to the latest version for jvm but we still see security issues flagged for CVE-2023-5072
Need to address the indirect dependencies .