SO Security Vulnerabilities

Owned by Sanchita Pathak
Last updated: Sept 19, 2023 by Rupali Shirode
4 min read

NOTE: This page is copy of London SO report

The tables contain the recommended package version upgrades for outdated direct dependencies with Critical or Severe vulnerabilities identified by NexusIQ. These packages must be upgraded by M2/M3 or a request for a waiver must be requested from SECCOM and the TSC.

  • Priority 1 recommendations have at least one Critical vulnerability.

  • Priority 2 recommendations contain at least one Severe vulnerability, and no Critical vulnerabilities.

  • There are four status values:

    • Open - required upgrade identified

    • In Progress - project working on the upgrade

    • Complete - package has been upgraded to the recommended version

    • Waiver - project granted a waiver for the upgrade because of technical or resource constraints

When the upgrade of the package is complete change the status in the table to Complete.

If a waiver is granted, change the status to Waiver.

When the status of all direct dependency replacements is Complete or Waiver , the Jira ticket should be closed.

so-adapters-so-etsi-sol003-adapter

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.3

2.14.1



This is indirect dependency coming from the o-parent. 

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

COMPLETE

1

org.yaml : snakeyaml : 1.26

1.33



This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

Sep 6, 2023 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

Sep 7, 2023 
 The version 1.31 is updated and available in Master branch 


so-libs

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.1

2.14.1



This is indirect dependency coming from the o-parent. 

Jul 25, 2023 
The version 2.14.2 is updated and available in Master branch 

so

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.3

2.14.1



This is indirect dependency coming from the o-parent.

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.9.8

2.14.1



Same as above

Complete

1

com.google.protobuf : protobuf-java : 3.10.0

4.0.0-rc-2



This needs further analysis and is being checked in detail. We have a resource crunch at the moment.
Jul 26, 2023 
This dependancy is excluded in SO pom.xml therefor no impact, require no change in SO

COMPLETE

1

com.h2database : h2 : 1.4.200

0.16.4



We dont use this code in the production and is only built for testing code.

Aug 17, 2023 
1) As per analysis the recommend version is lowest which is not available in Maven dependency.
2) We update the latest version 2.1.214 and its work i.e. code build successfully. Reference link:  https://mvnrepository.com/artifact/com.h2database/h2

Sep 6, 2023 
The version 2.1.214 is updated and available in Master branch 

OPEN

1

org.apache.tomcat : tomcat-catalina : 9.0.45

9.0.37.1



This needs further analysis and We are facing resource issue at the moment, request a waiver.

Sep 6, 2023 
We are not able to find this dependency.


Complete

1

org.json : json : 20140107

20220924



The change would bring in a major testing to be performed across the projects and we have a resource crunch. 

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

Complete

1

org.json : json : 20160212

20220924



The change would bring in a major testing to be performed across the projects and we have a resource crunch. 

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

Open

1

org.springframework : spring-web : 5.2.14.RELEASE

6.0.2



Aug 9, 2023 
Spring Framework 6 requires Java 17 

COMPLETE

1

org.springframework.data : spring-data-rest-hal-browser : 3.3.9.RELEASE

3.3.9.RELEASE



Aug 17, 2023 change is pushed

Sep 6, 2023 
The version 3.3.9.RELEASE is updated and available in Master branch 

OPEN

1

org.springframework.security : spring-security-web : 5.4.6

3.0.11-oss



This needs further analysis and We are facing resource issue at the moment, request a waiver.
Aug 17, 2023 
1) As per our analysis the recommended version 3.0.11-oss  is not related to Spring-Security-Web. It is related to AJSC Archetype Parent which is not used in our SO Project (atleast we did not find it).
2) Therefore we can update the latest version of spring-security-web version 6.1.2 and its work i.e. code build successfully. Reference links https://mvnrepository.com/artifact/com.att.ajsc/ajsc-archetype-parent/3.0.11-oss  
and  https://mvnrepository.com/artifact/org.springframework.security/spring-security-web/6.1.2

Sep 6, 2023 
The version 6.1.2 is updated and available in Master branch 
Sep 19, 2023 
We have removed  spring-security-web : 6.1.2 version because it required Java-17  

COMPLETE

1

org.yaml : snakeyaml : 1.26

1.33



This needs further analysis and We are facing resource issue at the moment, request a waiver.

Sep 6, 2023 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

Sep 7, 2023 
The version 1.31 is updated and available in Master branch 
 

COMPLETE

2

org.glassfish.jersey.core : jersey-common : 2.22.1





Aug 17, 2023 change is pushed

Sep 6, 2023 
The version is updated and available in Master branch 

COMPLETE

2

org.glassfish.jersey.core : jersey-common : 2.30.1





Aug 17, 2023 change is pushed

Sep 6, 2023 
The version is updated and available in Master branch 

Open

2

org.springframework : spring-webmvc : 5.2.12.RELEASE

6.0.2



Aug 9, 2023 
Spring Framework 6 requires Java 17 

so-so-admin-cockpit

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.1

2.14.1



This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

so-so-etsi-nfvo

Status

Priority

Component name and version

Recommended version

Threat level

Project’s assessment

Complete

1

com.fasterxml.jackson.core : jackson-databind : 2.11.1

2.14.1



This is indirect dependency coming from the o-parent. The change would bring in a major testing to be performed across the projects and we have a resource crunch.

Jul 25, 2023
The version 2.14.2 is updated and available in Master branch   

COMPLETE

1

org.yaml : snakeyaml : 1.26

1.33



This needs further analysis and is being checked in detail. We have a resource crunch at the moment.

Sep 6, 2023 
As per our analysis 1.33 version not supported it required Spring Boot 3.0.0 version. So 
we try update it 1.31 version its working so we push the code changes.

Sep 7, 2023 
The version 1.31 is updated and available in Master branch