Overview
eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.
As a result in eptos base module / base-module-etl-export image critical CVE’s are found.
|
Summary |
|
|---|---|
|
Advisory Release Date |
05.05.2021 |
|
Products |
eptos base module / base-module-etl-export |
|
Affected Releases |
6.1.* |
|
Fixed Releases |
6.4 |
|
CVE ID |
CVE-2019-17571, CVE-2020-9493 CVE-2022-23305 GHSA-2qrg-x229-3v8q GHSA-65fg-84f6-3jq3 GHSA-f7vh-qwp3-x37m |
|
Issue ID |
BASE-1003 |
|
Further information |
|
Summary of Vulnerability
eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.
As a result in eptos base module / base-module-etl-export image critical CVE’s are found during scannig.
Software Fixes
-
An upgrade is available per default in upcoming eptos Version 6.4
-
In earlier versions:
-
An update of the involved library pentaho/kettle library for the impacted eptos image can be prepared on demand for existing customers.
Please contact your Solution Manager or Support for an upgrade.
-
What you need to do
-
Replace eptos base module / base-module-etl-export image in your kubernetes with the build which is delivered in your customer repository
-
Perform retests of the export functionalities
Mitigation
-
update of eptos base module / base-module-etl-export image
Support
If you have questions or concerns regarding this advisory, check support (at) paradine,at and add BASE-1003 to your issue description.