security vulnerable libraries in yellowfin location please say mitigation for these risks

phani shared this problem 25 days ago
Completed


vulnerable library location

library Apache HttpMime version 4.2.1 yellowfin.war\WEB-INF\lib

library Apache PDFBox version 2.0.24 yellowfin.war\WEB-INF\lib

Apache HttpClient version 4.5.10 yellowfin.war\WEB-INF\lib

library commons-net version 3.3 yellowfin.war\WEB-INF\lib

library Bouncy Castle version 1.64 yellowfin.war\WEB-INF\lib

Apache Tomcat version 9.0.82 appserver

Apache Tomcat version 9.0.75 appserver

Spring Framework version 5.3.30 yellowfin.war\WEB-INF\lib

Apache Commons Compress version 1.21 yellowfin.war\WEB-INF\lib

Apache Santuario (Java) version 2.2.3 yellowfin.war\WEB-INF\lib

Apache Commons Codec version 1_6 yellowfin.war\WEB-INF\lib

Nimbus-JOSE-JWT version 9.31 apache-tomcat-9.0.75/lib/nimbus-jose-jwt-9.31.jar/

Apache ServiceMix Bundles: commons-io-1.3.2 version 1.4_3 apache-tomcat-9.0.75/lib


library jsoup version 1.14.2 yellowfin.war\WEB-INF\lib

library JFreeChart version 1.0.19 yellowfin.war\WEB-INF\lib

library JFreeChart version 1.5.0 yellowfin.war\WEB-INF\lib

library Axis2 (Java) version 1.4.1 yellowfin.war\WEB-INF\lib

PostgreSQL JDBC Driver (pgjdbc) version 42.5.0 /yfres/jdbc-drivers/postgresql-42.5.0.jar/


H2 Database Engine version 2.1.214 apache-tomcat-9.0.75/lib

vulnerable library Apache Log4j version 1.1.1 yellowfin.war\WEB-INF\lib


library Apache Log4j version 1.2.8 development/nteventlog -was asked to remove folder

Replies (16)

photo
library Apache HttpMime version 4.2.1 yellowfin.war\WEB-INF\lib
library Apache PDFBox version 2.0.24 yellowfin.war\WEB-INF\lib
Apache HttpClient version 4.5.10 yellowfin.war\WEB-INF\lib
library commons-net version 3.3 yellowfin.war\WEB-INF\lib
library Bouncy Castle version 1.64 yellowfin.war\WEB-INF\lib
Apache Tomcat version 9.0.82 appserver
Apache Tomcat version 9.0.75 appserver
Spring Framework version 5.3.30 yellowfin.war\WEB-INF\lib
Apache Commons Compress version 1.21 yellowfin.war\WEB-INF\lib
Apache Santuario (Java) version 2.2.3 yellowfin.war\WEB-INF\lib
Apache Commons Codec version 1_6 yellowfin.war\WEB-INF\lib
Nimbus-JOSE-JWT version 9.31 apache-tomcat-9.0.75/lib/nimbus-jose-jwt-9.31.jar/
Apache ServiceMix Bundles: commons-io-1.3.2 version 1.4_3 apache-tomcat-9.0.75/lib
library jsoup version 1.14.2 yellowfin.war\WEB-INF\lib
library JFreeChart version 1.0.19 yellowfin.war\WEB-INF\lib
library JFreeChart version 1.5.0 yellowfin.war\WEB-INF\lib
library Axis2 (Java) version 1.4.1 yellowfin.war\WEB-INF\lib
PostgreSQL JDBC Driver (pgjdbc) version 42.5.0 /yfres/jdbc-drivers/postgresql-42.5.0.jar/
H2 Database Engine version 2.1.214 apache-tomcat-9.0.75/lib
vulnerable library Apache Log4j version 1.1.1 yellowfin.war\WEB-INF\lib

library Apache Log4j version 1.2.8 development/nteventlog -was asked to remove folder
photo
1

Hello phani

Thank you for submitting this request to the Yellowfin Technical Support Team. My name is Ankit Asati and I will be supporting you with the issue. This ticket appears to be the duplicate of your previous ticket we are going ahead with closure of the case. However, we will be assisting for the issue with the previous ticket i.e. 29615.


Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

sure, may be its duplicated. 29615. is active one

photo
photo
1

Hello phani

Thank you for submitting this request to the Yellowfin Technical Support Team. My name is Ankit Asati and I will be supporting you with this issue.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

Hello phani

Thank you for your patience. In order to assist you please provide us the following information:

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

Hello phani

I wanted to follow up with you regarding the information I requested in my last email. This will allow me to further troubleshoot this issue and work towards a resolution. I know you may be busy but this information is necessary to solve this issue.

Thank you,

Ankit Asati

Yellowfin Technical Support

photo
1

e5dd7fc762c53c7e67bea3e4e1da9375

photo
0

Hello phani

Thank you for your patience.
This is to keep you informed that we have submitted a Task to the product team. As soon as we hear back from them, we will get back to you with the updates via the community ticket for your visibility. For now, I'll change the ticket status to 'On Hold'. Feel free to reach out to us if you have any questions or concerns; we would be more than happy to assist you.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
0

Hello phani

Request if you can provide a list of the specific CVEs with CVE numbers for the vulnerability you are concerned about so that be specifically looked upon.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
0

Hello phani

I wanted to follow up with you regarding the information I requested in my last email. This will allow me to further troubleshoot this issue and work towards a resolution. I know you may be busy but this information is necessary to solve this issue.

Thank you,

Ankit Asati

Yellowfin Technical Support

photo
0

please find attached excel for clear formatting



Library Location CVE
library Apache HttpMime version 4.2.1 yellowfin.war\WEB-INF\lib ( CVE-2012-5783 ) ( CVE-2012-6153 )
library Apache PDFBox version 2.0.24 yellowfin.war\WEB-INF\lib BDSA-2022-1920
Apache HttpClient version 4.5.10 yellowfin.war\WEB-INF\lib CVE-2020-13956
library commons-net version 3.3 yellowfin.war\WEB-INF\lib CVE-2021-37533
library Bouncy Castle version 1.64 yellowfin.war\WEB-INF\lib [ CVE-2023-33201 ] [ CVE-2020-15522 ] [ BDSA-2023-3254 ( CVE-2023-33202 ) ]
Apache Tomcat version 9.0.82 appserver [ BDSA-2024-0396 ] [ CVE-2023-46589 ]
Apache Tomcat version 9.0.75 appserver [ CVE-2023-44487 ] [ CVE-2023-46589 ][ CVE-2023-42795 ] [ CVE-2023-45648 ] [ CVE-2023-42794 ] [ CVE-2023-41080 ]
Spring Framework version 5.3.30 yellowfin.war\WEB-INF\lib [ CVE-2022-22965 ] [ CVE-2016-1000027 ][ BDSA-2022-0847 ] [ CVE-2021-22118] [ CVE-2021-22096 ] [ CVE-2021-22060 ] [ CVE-2022-22968 ] [ CVE-2022-22970 ] [ CVE-2020-5421 ] [ CVE-2022-22950 ] [ CVE-2023-20863 ] [ CVE-2022-22971 ] [ CVE-2023-20861 ]
Apache Commons Compress version 1.21 yellowfin.war\WEB-INF\lib BDSA-2024-0363 ( CVE-2024-25710 )
Apache Santuario (Java) version 2.2.3 yellowfin.war\WEB-INF\lib CVE-2023-44483
Apache Commons Codec version 1_6 yellowfin.war\WEB-INF\lib BDSA-2012-0001
Nimbus-JOSE-JWT version 9.31 apache-tomcat-9.0.75/lib/nimbus-jose-jwt-9.31.jar/ CVE-2019-17195, [ CVE-2017-12972 ] [ CVE-2017-12974 ] [ BDSA-2016-0008 ( CVE-2016-9121 ) ] [ BDSA-2017-0101 ]
Apache ServiceMix Bundles: commons-io-1.3.2 version 1.4_3 apache-tomcat-9.0.75/lib CVE-2021-29425
library jsoup version 1.14.2 yellowfin.war\WEB-INF\lib CVE-2022-36033
library JFreeChart version 1.0.19 yellowfin.war\WEB-INF\lib BDSA-2024-0980 ( CVE-2024-22949 )
library JFreeChart version 1.5.0 yellowfin.war\WEB-INF\lib BDSA-2024-0980 ( CVE-2024-22949 ) ]
library Axis2 (Java) version 1.4.1 yellowfin.war\WEB-INF\lib CVE-2010-1632 ] [ CVE-2010-0219 ][ CVE-2010-2103 ] [ CVE-2012-4418 ] [ CVE-2012-5785 ] [ CVE-2012-5351 ]
PostgreSQL JDBC Driver (pgjdbc) version 42.5.0 /yfres/jdbc-drivers/postgresql-42.5.0.jar/ CVE-2022-41946
H2 Database Engine version 2.1.214 apache-tomcat-9.0.75/lib CVE-2022-45868 ] [ BDSA-2018-1048 ( CVE-2018-10054 )
vulnerable library Apache Log4j version 1.1.1 yellowfin.war\WEB-INF\lib CVE-2019-17571 [ BDSA-2021-3764 ( CVE-2021-4104 ) ] [ CVE-2023-26464 ] [ CVE-2022-23302 ]BDSA-2020-1398 ( CVE-2020-9488 )
library Apache Log4j version 1.2.8 development/nteventlog [ CVE-2022-23305 ] [ CVE-2020-9493 ] [ CVE-2019-17571 [ CVE-2023-26464 ] [ CVE-2021-4104 ] [ CVE-2022-23302 ] [ CVE-2022-23307 ] [ BDSA-2020-1398 ( CVE-2020-9488 ) ]
photo
0

Hello Phani,

Thank you for providing the CVE details, Product team will analyze the details, as soon as we hear back from them, we will get back to you with the updates via the community ticket for your visibility.
Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
0

Hello phani

I noticed that some of the BDSA numbers in the excel file do not have a corresponding CVE, based on the list of CVE numbers you sent. BDSA-2012-0001, BDSA-2017-0101, and BDSA-2022-1920 are the respective numbers. Request if you can provide the equivalent CVE number as well.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
0

Hello Ankit

can you please go through for example, https://mvnrepository.com/artifact/org.apache.pdfbox/pdfbox/

these are opensource library and vulnerabilities are openly found in any if you search, as our application security standards does not comply these even if single CVE/BD are reported. the one with BD are blackduck tool reported.

Please tell me what Mitigation is for multiple old vulnerable libs

please see all are opensource, please browse they have known vulnerabilities

photo
0

Hello phani

Thank you for the shared information, we have updated it to the product team they are working on it. As soon as we hear back from them, we will get back to you with the updates via the community ticket for your visibility.

Sincerely,

Ankit Asati
Yellowfin Technical Support

photo
1

Hi Ankit,

Can you please link to the active ticket so those of us with a similar concern can follow the progress please.

Many thanks

Lex

photo
1

Hi Lex,

Sure, I have linked it to the currently active ticket (29615) for this issue. You can find the ticket details in merged ticket option.

Regards,

Ankit Asati

Leave a Comment
 
Attach a file