Security Advisories & Cumulative Security Patch Release
Overview
Security advisories are released when critical vulnerabilities are found in Paradine’s software products.
Vulnerabilities are rated according to the Common Vulnerability Scoring System (CVSS) which captures the principal technical characteristics of software, hardware and firmware vulnerabilities. Its outputs include numerical scores indicating the severity of a vulnerability relative to other vulnerabilities.
In case critical security vulnerability is detected in our software products, we are submitting a security advisory describing the issue and mitigation possibilities on this page.
Quarterly we are providing a Cumulative Security Release for releases under active maintenance.
Impact to customer installations
In our managed service or cloud products, the identified critical vulnerabilities are patched by Paradine as soon as possible after detection.
For on-premise installations or customer maintained cloud installations, we are disclosing critical vulnerabilities on this page, so that appropriate patching measures can be taken by our customers.
Vulnerability fixing policy
Critical Security Vulnerabilities
When a Critical Security Vulnerability (9.0-10.0 according to CVSS v3.1 specification) is discovered by internal checks or reported by a third party, we will:
Submit a security bulletin describing the issue and mitigation possibilities, usually in parallel with the release of potential patch release.
If mitigation is acceptably possible the vulnerability security level will be changed to High, and the issue will be treated as non-critical vulnerability.
If mitigation is not acceptably possible, we will issue a new, patch release for the latest software release, fixing the issue in the affected product(s) as soon as possible.
On demand of customer, we will prepare a new patch release also for a previous software release or components of the previous software release, if the release in focus is still under a valid maintenance contract.
In some cases, we may use additional information unrelated to CVSS score, e.g. knowledge about use of impacted components, to modify the severity level of a vulnerability.
Non-critical vulnerabilities (High, Medium, Low)
When a security issue of a High, Medium or Low severity is discovered, we will fix within the service level objectives for issues of problem class 3 which will be fixed together with the next minor or major release whatever comes earlier.
What is a false positive vulnerability assessment?
An alert that incorrectly indicates that a vulnerability is present. Sources: NIST SP 800-115
False positive vulnerabilities are documented but cannot be fixed.
List of Security Advisories & Cumulative Security Patch Release
Issue ID | Summary | Published Date | Severity | Affected Products | CVE |
---|---|---|---|---|---|
BASE-1003: API Vulnerability Bug log4j -in pentaho third party library - Critical | 5.5.2021 | Critical | eptos base module / base-module-etl-export | CVE-2019-17571, CVE-2020-9493 CVE-2022-23305 GHSA-2qrg-x229-3v8q GHSA-65fg-84f6-3jq3 GHSA-f7vh-qwp3-x37m | |
BASE-1045: Critical CVE-2016-3088 activemq-protobuf 1.1 - False Positive | 18.6.2021 | Critical | eptos Base Module (All Components) eptos Email Collector | CVE-2010-0684, CVE-2010-1244, CVE-2011-4905, CVE-2012-5784, CVE-2012-6092, CVE-2012-6551, CVE-2013-1879, CVE-2013-1880, CVE-2013-3060, CVE-2014-3576, CVE-2015-7559, CVE-2016-3088, CVE-2018-11775, CVE-2020-13920, CVE-2020-13947 | |
BASE-1340: Critical Vulnerability CVE-2016-1906 hazelcast-kubernetes - Critical - False Positive | 15.10.2021 | Critical False Positive | eptos Base Module (All Components) eptos Email Collector | CVE-2015-7561 CVE-2016-1905 CVE-2016-1906 CVE-2016-7075 | |
9.12.2021 17.12.2021 (updated) | Critical | eptos modules - all releases 5.3 - 6.1 eptos Search Engine 2.0 - 2.1 | |||
21.12.2021 22.12.2021 (updated) | Critical | eptos modules - 6.1 eptos Search Engine 2.0 - 2.1 only if logging of api's has been turned on (default off). | CVE-2021-45105 | ||
BASE-1501: Frontend Vulnerability Bug Bug CVE-2022-1586, CVE-2022-1587 - Critical | 21.06.2022 | Critical | eptos Base Module (All Components) eptos Email Collector eptos Search Engine | CVE-2022-1586 CVE-2022-1587 | |
01.09.2022 | Critical | eptos Base Module (All Components) eptos Business Party Manager eptos Dictionary Transformation Manager eptos Document Manager eptos Terminology Manager eptos Unit and Quantity Manager eptos Template Manager eptos Publication Manager eptos Item Manager eptos Dictionary Manager eptos Email Collector eptos Search Engine eptos Search Engine 2.1 | CVE-2018-10237 | ||
BASE-1907: Cumulative Security Patch for eptos Release 6.1.x - 2023-11 | eptos 6.1 (All Components) | see bulletin | |||
BASE-1910: Cumulative Security Patch for eptos Release 6.2.x - 2023-11 | eptos 6.2 (All Components) | see bulletin | |||
BASE-1911: Critical CVE-2023-46604 activemq-protobuf 1.1 - False Positive | 17.11.2023 | Critical False Positive | eptos 6.x (All Components) | CVE-2023-46604 | |
BASE-1913: Cumulative Security Patch for eptos Release 6.3.x - 2023-11 | eptos 6.3 (All Components) | ||||