Overview
eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.
As a result in eptos base module / base-module-etl-export image critical CVE’s are found.
|
Summary |
|
|---|---|
|
Advisory Release Date |
05.05.2021 |
|
Products |
eptos base module / base-module-etl-export |
|
Affected Releases |
6.1.* |
|
Fixed Releases |
6.4 |
|
CVE ID |
CVE-2019-17571, CVE-2020-9493 CVE-2022-23305 GHSA-2qrg-x229-3v8q GHSA-65fg-84f6-3jq3 GHSA-f7vh-qwp3-x37m |
|
Issue ID |
.jira-issue { padding: 0 0 0 2px; line-height: 20px; } .jira-issue img { padding-right: 5px; } .jira-issue .aui-lozenge { line-height: 18px; vertical-align: top; } .jira-issue .icon { background-position: left center; background-repeat: no-repeat; display: inline-block; font-size: 0; max-height: 16px; text-align: left; text-indent: -9999em; vertical-align: text-bottom; } BASE-1003 - Getting issue details... STATUS |
|
Further information |
|
Summary of Vulnerability
eptos base module utilizes a third-party library pentaho which itself uses the log4j library which turned out to be vulnerable.
As a result in eptos base module / base-module-etl-export image critical CVE’s are found during scannig.
Software Fixes
-
An upgrade is available per default in upcoming eptos Version 6.4
-
In earlier versions:
-
An update of the involved library pentaho/kettle library for the impacted eptos image can be prepared on demand for existing customers.
Please contact your Solution Manager or Support for an upgrade.
-
What you need to do
-
Replace eptos base module / base-module-etl-export image in your kubernetes with the build which is delivered in your customer repository
-
Perform retests of the export functionalities
Mitigation
-
update of eptos base module / base-module-etl-export image
Support
If you have questions or concerns regarding this advisory, check support (at) paradine,at and add BASE-1003 to your issue description.