Skip to main content

Security Advisories & Cumulative Security Patch Release

Overview

Security advisories are released when critical vulnerabilities are found in Paradine’s software products.

Vulnerabilities are rated according to the Common Vulnerability Scoring System (CVSS) which captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.

In case critical security vulnerability is detected in our software products, we are submitting a security advisory describing the issue and mitigation possibilities on this page.

Quarterly we are providing a Cumulative Security Release for releases under active maintenance.

Impact to customer installations

In our managed service or cloud products, the identified critical vulnerabilities are patched by Paradine as soon as possible after detection.

For on-premise installations or customer maintained cloud installations, we are disclosing critical vulnerabilities on this page, so that appropriate patching measures can be taken by our customers.

Vulnerability fixing policy

Critical Security Vulnerabilities

When a Critical Security Vulnerability (9.0-10.0 according to CVSS v3.1 specification) is discovered by internal checks or reported by a third party, we will:

  • Submit a security bulletin describing the issue and mitigation possibilities, usually in parallel with the release of potential patch release.

  • If mitigation is acceptably possible the vulnerability security level will be changed to High, and the issue will be treated as non-critical vulnerability.

  • If mitigation is not acceptably possible, we will issue a new, patch release for the latest software release,  fixing the issue in the affected product(s) as soon as possible.

  • On demand of customer, we will prepare a new patch release also for a previous software release or components of the previous software release, if the release in focus is still under a valid maintenance contract.

In some cases, we may use additional information unrelated to CVSS score, e.g. knowledge about use of impacted components, to modify the severity level of a vulnerability.

Non-critical vulnerabilities (High, Medium, Low)

  •  When a security issue of a High, Medium or Low severity is discovered, we will fix within the service level objectives for issues of problem class 3 which will be fixed together with the next minor or major release whatever comes earlier.

What is a false positive vulnerability assessment?

  • An alert that incorrectly indicates that a vulnerability is present. Sources: NIST SP 800-115

  • False positive vulnerabilities are documented but cannot be fixed.

List of Security Advisories & Cumulative Security Patch Release

Issue ID

Summary

Published Date

Severity

Affected Products

CVE

BASE-1003

BASE-1003: API Vulnerability Bug log4j -in pentaho third party library - Critical

5.5.2021

Critical

eptos base module / base-module-etl-export

CVE-2019-17571,

CVE-2020-9493

CVE-2022-23305

GHSA-2qrg-x229-3v8q

GHSA-65fg-84f6-3jq3

GHSA-f7vh-qwp3-x37m

BASE-1045

BASE-1045: Critical CVE-2016-3088 activemq-protobuf 1.1 - False Positive

18.6.2021

Critical

eptos Base Module (All Components)

eptos Email Collector

CVE-2010-0684,

CVE-2010-1244,

CVE-2011-4905,

CVE-2012-5784,

CVE-2012-6092,

CVE-2012-6551,

CVE-2013-1879,

CVE-2013-1880,

CVE-2013-3060,

CVE-2014-3576,

CVE-2015-7559,

CVE-2016-3088,

CVE-2018-11775,

CVE-2020-13920,

CVE-2020-13947

BASE-1340

BASE-1340: Critical Vulnerability CVE-2016-1906 hazelcast-kubernetes - Critical - False Positive

15.10.2021

Critical

False Positive

eptos Base Module (All Components)

eptos Email Collector

CVE-2015-7561

CVE-2016-1905

CVE-2016-1906

CVE-2016-7075

BASE-1388

BASE-1388: Apache Log4j2 not protected against attacker controlled LDAP and other JNDI related endpoints

9.12.2021

17.12.2021 (updated)

Critical

eptos modules - all releases 5.3 - 6.1 

eptos Search Engine 2.0 - 2.1

CVE-2021-44228

CVE-2021-45046

BASE-1396

CVE-2021-45105 - Multiple eptos Releases - Security Advisory - Apache Log4j2 <= 2.17 did not protect from uncontrolled recursion from self-referential lookups

21.12.2021

22.12.2021 (updated)

Critical

eptos modules -  6.1  

eptos Search Engine 2.0 - 2.1 only if logging of api's has been turned on (default off).

CVE-2021-45105

BASE-1501

BASE-1501: Frontend Vulnerability Bug Bug CVE-2022-1586, CVE-2022-1587 - Critical

21.06.2022

Critical

eptos Base Module (All Components)

eptos Email Collector

eptos Search Engine

CVE-2022-1586

CVE-2022-1587  

BASE-1551

BASE-1551: Pinpoint Agent 1.x Vulnerabilities

01.09.2022

Critical

eptos Base Module (All Components)

eptos Business Party Manager

eptos Dictionary Transformation Manager

eptos Document Manager

eptos Terminology Manager

eptos Unit and Quantity Manager

eptos Template Manager

eptos Publication Manager

eptos Item Manager

eptos Dictionary Manager

eptos Email Collector

eptos Search Engine

eptos Search Engine 2.1

CVE-2018-10237
CVE-2018-11798
CVE-2018-1320
CVE-2019-0205
CVE-2019-0210
CVE-2019-16869
CVE-2019-17571
CVE-2019-20444
CVE-2019-20445
CVE-2020-13949
CVE-2020-8908
CVE-2020-9493
CVE-2020-9493
CVE-2021-21290
CVE-2021-21295
CVE-2021-21409
CVE-2021-37136
CVE-2021-37137
CVE-2021-43797
CVE-2022-23302
CVE-2022-23305
CVE-2022-23307
CVE-2022-24823
GHSA-2qrg-x229-3v8q
GHSA-5mg8-w23w-74h3
GHSA-65fg-84f6-3jq3
GHSA-fp5r-v3w9-4333
GHSA-g2fg-mr77-6vrm
GHSA-mvr2-9pj6-7w5j
GHSA-rj7p-rfgp-852x
GHSA-vx85-mj8c-4qm6
GHSA-w9p3-5cr8-m3jj
GHSA-wjxj-f8rg-99wx

BASE-1907

BASE-1907: Cumulative Security Patch for eptos Release 6.1.x - 2023-11

eptos 6.1 (All Components)

see bulletin

BASE-1910

BASE-1910: Cumulative Security Patch for eptos Release 6.2.x - 2023-11

eptos 6.2 (All Components)

see bulletin

BASE-1911

BASE-1911: Critical CVE-2023-46604 activemq-protobuf 1.1 - False Positive

17.11.2023

Critical

False Positive

eptos 6.x (All Components)

CVE-2023-46604

BASE-1913

BASE-1913: Cumulative Security Patch for eptos Release 6.3.x - 2023-11

eptos 6.3 (All Components)

Further reading

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.