Skip to main content

BASE-1003: API Vulnerability Bug log4j -in pentaho third party library - Critical

Overview

eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.

As a result in eptos base module / base-module-etl-export image critical CVE’s are found.

Summary

Advisory Release Date

05.05.2021

Products

eptos base module / base-module-etl-export

Affected Releases

6.1.*

Fixed Releases

6.4

CVE ID

CVE-2019-17571,

CVE-2020-9493

CVE-2022-23305

GHSA-2qrg-x229-3v8q

GHSA-65fg-84f6-3jq3

GHSA-f7vh-qwp3-x37m

Issue ID

BASE-1003

Further information

Summary of Vulnerability

eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.

As a result in eptos base module / base-module-etl-export image critical CVE’s are found during scannig.

Software Fixes

  • An upgrade is available per default in upcoming eptos Version 6.4

  • In earlier versions:

    • An update of the involved library pentaho/kettle library for the impacted eptos image can be prepared on demand for existing customers.
      Please contact your Solution Manager or Support for an upgrade.

What you need to do

  • Replace eptos base module / base-module-etl-export image in your kubernetes with the build which is delivered in your customer repository

  • Perform retests of the export functionalities

Mitigation

  • update of eptos base module / base-module-etl-export image

Support

If you have questions or concerns regarding this advisory, check support (at) paradine,at and add BASE-1003 to your issue description.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close