Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Anzo and AnzoGraph releases.

Anzo Releases

Anzo 5.3.12
Anzo 5.3.11
Anzo 5.3.10
Anzo 5.3.9
Anzo 5.3.8
Anzo 5.3.6
Anzo 5.3.4
Anzo 5.3.2
Anzo 5.3.0

AnzoGraph Releases

AnzoGraph 2.5.17
AnzoGraph 2.5.15
AnzoGraph 2.5.14
AnzoGraph 2.5.12
AnzoGraph 2.5.11
AnzoGraph 2.5.10
AnzoGraph 2.5.8
AnzoGraph 2.5.7
AnzoGraph 2.5.6
AnzoGraph 2.5.5
AnzoGraph 2.5.4
AnzoGraph 2.5.3
AnzoGraph 2.5.2
AnzoGraph 2.5.1
AnzoGraph 2.4.1
AnzoGraph 2.3.3, 2.4.0, 2.5.0
AnzoGraph 2.1.8

Anzo Releases

Anzo 5.3.12

CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
CVE-2022-38900: The decode-uri-component dependency was updated to remediate a potential Denial of Service (DOS) vulnerability.
CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to version 1.16 to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DOS) vulnerability.
CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DOS) vulnerability.
CVE-2022-45047: The Apache SSHD dependency was updated to version 2.9.2 to remediate this vulnerability.
SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.

Anzo 5.3.11

CVE-2022-42003: The FasterXML jackson-databind dependency was updated to remediate a possible resource exhaustion vulnerability.
CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
CVE-2022-40149 and CVE-2022-40150: The Jettison dependency was updated to remediate a possible Denial of Service (DOS) vulnerability.
CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
CVE-2022-3171: The protobuf dependency was updated to remediate a possible Denial of Service (DOS) vulnerability.
CVE-2022-36944: The Scala library dependency for Anzo Unstructured was updated to remediate this possible deserialization of untrusted data vulnerability.
CVE-2021-0341: The com.squareup.okhttp dependency for Anzo Unstructured was updated to remediate this possible improper certificate validation vulnerability.
CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, and CVE-2022-38752: The snakeYAML dependency for Anzo Unstructured was updated to remediate these possible Denial of Service (DOS) vulnerabilities.
CVE-2022-36033: The jsoup dependency for Anzo Unstructured was updated to remediate this possible cross-site scripting (XSS) vulnerability.
CVE-2018-12536: The Eclipse Jetty Server dependency for Anzo Unstructured was updated to remediate this vulnerability.
CVE-2022-33879: The org.apache.tika dependency for Anzo Unstructured was updated to remediate this vulnerability.

Anzo 5.3.10

CVE-2022-36033: The jsoup Java HTML parser dependency was updated to version 1.15.3 to remediate a cross-site scripting (XSS) vulnerability.
CVE-2022-25857: The org.yaml:snakeyaml dependency was updated to version 1.31 to remediate a Denial of Service (DOS) vulnerability.
CVE-2022-34169: The Apache Xalan Java XSLT library was removed to avoid an integer truncation issue that could occur when processing malicious XSLT stylesheets.

Several Anzo Distributed Unstructured dependencies were updated to remediate the following vulnerabilities:

CVE-2019-20444	CVE-2021-37136	CVE-2021-35516	CVE-2018-1000632	CVE-2021-21290	CVE-2021-28657
CVE-2019-20445	CVE-2021-37137	CVE-2021-35517	CVE-2014-0114	CVE-2012-5783	CVE-2022-25169
CVE-2019-17571	CVE-2020-7238	CVE-2021-36090	CVE-2012-0881	CVE-2021-29425	CVE-2022-30126
CVE-2022-23305	CVE-2021-29505	CVE-2020-11988	CVE-2013-4002	CVE-2021-28169	CVE-2022-30973
CVE-2021-27568	CVE-2021-43859	CVE-2018-10936	CVE-2020-13956	CVE-2020-15250	CVE-2021-27807
CVE-2022-21724	CVE-2022-23302	CVE-2020-13692	CVE-2020-15522	CVE-2018-11771	CVE-2021-27906
CVE-2019-13990	CVE-2022-23307	CVE-2022-25647	CVE-2020-0187	CVE-2018-1324	CVE-2021-31811
CVE-2020-10683	CVE-2021-4104	CVE-2020-9492	CVE-2020-26939	CVE-2018-10237	CVE-2021-31812
CVE-2017-18640	CVE-2021-33813	CVE-2019-14262	CVE-2021-22569	CVE-2020-1950	CVE-2022-26336
CVE-2020-28491	CVE-2020-13936	CVE-2022-23596	CVE-2021-43797	CVE-2020-1951	CVE-2019-12415
CVE-2022-25647	CVE-2021-35515	CVE-2022-2048	CVE-2021-21295	CVE-2020-9489	CVE-2022-24613
CVE-2019-17573	CVE-2020-13954	CVE-2019-12406	CVE-2020-1945	CVE-2021-36373	CVE-2022-24614
CVE-2009-2625	CVE-2021-34428	CVE-2021-36374

Anzo 5.3.9

CVE-2022-2047: The Eclipse jetty dependency was updated to version 9.4.46 to remediate a vulnerability that could lead to failures in a Proxy scenario.
CVE-2022-33980: The Apache Commons Configuration (commons-configuration) dependency was updated to version 2.8 to remediate this vulnerability.

Anzo 5.3.8

CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.3 to remediate a BPG parser vulnerability.
CVE-2022-31129: The moment JavaScript library dependency was upgraded to remediate this vulnerability.

Anzo 5.3.6

CVE-2021-21409, CVE-2021-21295, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, and CVE-2021-43797: The Netty gRPC dependency library (grpc-netty-shaded) was updated to version 4.1.72 to remediate the listed vulnerabilities.
CVE-2021-43797, CVE-2022-24823, CVE-2021-37136, and CVE-2021-37137: The Netty IO dependency library (io.netty.*) was updated to version 4.1.77 to remediate the listed vulnerabilities.
CVE-2021-22569: The protobuf-java dependency library was updated to version 3.8.2 to resolve this vulnerability.
CVE-2018-1337: The Apache Directory LDAP API dependency was updated to version 1.0.3 to remediate this vulnerability.
CVE-2021-41973: The Apache MINA dependency was updated to version 2.0.23 to remediate this vulnerability.
CVE-2019-10101 and CVE-2020-29582: The JetBrains Kotlin dependency was updated to version 1.6.21 to remediate these potential man-in-the-middle (MITM) vulnerabilities.
CVE-2019-0809: The Anzo CData JDBC and ODBC drivers were updated to remediate a Visual Studio remote code execution vulnerability.
CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.2 to remediate a BPG parser vulnerability.
CVE-2021-22573: The com.google.oauth-client dependency was updated to version 1.31.3 to remediate an IDToken verifier vulnerability.
CVE-2022-25647: The com.google.code.gson:gson package was updated to version 2.8.9 to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-22112, CVE-2019-3795, CVE-2021-22096, CVE-2016-1000027, CVE-2022-22950, and CVE-2022-22965: The Spring Framework dependencies were updated to version 5.3.19_1 to remediate the listed vulnerabilities.
CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, and CVE-2021-43797: The Netty IO dependency library for the Anzo Unstructured software was updated to remediate the listed vulnerabilities.
CVE-2021-44878: The Pac4j dependency was updated to version 5.3.0 to remediate an OpenID Connect provider vulnerability.
CVE-2022-24721: The CometD dependency was updated to version 5.0.11 to remediate a vulnerability where a remote user could have subscribed to the Oort and Seti channels and watched internal network traffic.
CVE-2021-42550: The logback-core dependency was updated to version 1.2.9 to remediate a potential vulnerability that could have allowed an attacker to craft a malicious configuration.
CVE-2021-42392 and CVE-2022-23221: The H2 database dependency was updated to version 2.1.212 to remediate an unauthenticated remote code execution vulnerability.
CVE-2022-26336: The Apache POI (poi-scratchpad) dependency was updated to version 5.2.2 to remediate an Out of Memory exception vulnerability.
CVE-2022-26612: The Apache Hadoop dependency was updated to version 3.2.3 to remediate a symlink vulnerability.
CVE-2020-36518: The jackson-databind dependency was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
CVE-2017-7658, CVE-2017-7657, and CVE-2018-7489: The shaded classes were removed from the EHCache dependencies to remediate the listed vulnerabilities.
Fixed CVE-2018-25032, CVE-2022-0778, CVE-2021-23222, CVE-2021-3634, CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, and CVE-2022-23308: The Anzo dynamic K8s fluent-bit component was updated to resolve the listed vulnerabilities.
CVE-2021-41184, CVE-2021-41183, and CVE-2021-41182: The JQuery-UI library was updated to remediate the listed vulnerabilities.
CVE-2021-23337, CVE-2020-28500, CVE-2020-8203, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, CVE-2018-3721, and CWE-400: The Lodash dependency was updated to remediate the listed vulnerabilities.

Anzo 5.3.4

CVE-2021-22144, CVE-2021-22145, and CVE-2021-22147: The Elasticsearch dependencies were updated to version 7.14.1 to resolve the listed vulnerabilities.
CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, and CVE-2021-36090: The Apache Commons Compress (org.apache.commons.commons-compress) library was updated to version 1.21.0 to remediate Denial of Service (DoS) vulnerabilities.
CVE-2021-34429: The Eclipse Jetty dependency was updated to version 9.4.43.v20210629 to remediate a security constraint vulnerability.
CVE-2021-37714: The jsoup Java library was updated to version 1.14.2 to remediate Denial of Service (DoS) vulnerability.
CVE-2021-41616: The unused Apache DB DdlUtils (org.apache.ddlutils) .jar file was removed from Anzo to remediate this vulnerability.
The netty dependency was updated to version 4.1.70.

Anzo 5.3.2

The following vulnerabilities were remediated in Anzo Unstructured Leader and Worker software dependencies.

The Data Mapper and Data Binding packages for Jackson were upgraded to remediate the following vulnerabilities:

CVE-2017-7525	CVE-2018-14718	CVE-2018-7489	CVE-2017-15095	CVE-2017-17485
CVE-2018-5968	CVE-2018-1000873	CVE-2019-14893	CVE-2019-14540	CVE-2019-16335
CVE-2019-17267	CVE-2019-20330	CVE-2019-16943	CVE-2019-16942	CVE-2019-17531
CVE-2019-14892	CVE-2020-8840	CVE-2020-9546	CVE-2020-9547	CVE-2020-9548
CVE-2020-35490	CVE-2020-35491	CVE-2020-25649	CVE-2020-10672	CVE-2020-10673
CVE-2020-10968	CVE-2020-10969	CVE-2020-11111	CVE-2020-11112	CVE-2020-11113
CVE-2020-11619	CVE-2020-11620	CVE-2020-14060	CVE-2020-14061	CVE-2020-14062
CVE-2020-14195	CVE-2020-24616	CVE-2020-24750	CVE-2021-20190	CVE-2020-35728
CVE-2020-36179 through 36189

CVE-2016-5007, CVE-2016-9878, CVE-2018-1271, CVE-2018-1272, CVE-2018-1273, and CVE-2018-15756: The Spring Data Commons package was upgraded to remediate the listed vulnerabilities.
CVE-2018-1270: The Spring Framework package was upgraded to remediate a remote code execution vulnerability.
CVE-2019-17195: The Nimbus JOSE + JWT library was upgraded to remediate an issue with uncaught exceptions that had a potential authentication bypass vulnerability.
CVE-2019-20444, CVE-2019-20445, and CVE-2019-16869: The Netty dependency was upgraded to remediate a vulnerability with inconsistent interpretation of HTTP requests (HTTP Request Smuggling).
CVE-2021-27568: The Json-smart dependency was upgraded to remediate an improper check for unusual or exceptional conditions.
CVE-2015-6748 and CVE-2021-37714: The Java HTML Parser library, jsoup, was upgraded to remediate a Cross-Site Scripting (XSS) and possible Denial of Service (DoS) vulnerability.
CVE-2020-26939: The Bouncy Castle dependency was upgraded to remediate observable differences in behavior to error inputs.
CVE-2017-15288: The Scala compilation daemon dependency was upgraded to remediate an incorrect permission assignment for critical resource vulnerability.
CVE-2020-9492: The Apache Hadoop dependency was upgraded to remediate an incorrect authorization vulnerability.
CVE-2019-10086: The Apache Commons Beanutils dependency was upgraded to remediate a deserialization flaw.

Anzo 5.3.0

CVE-2021-22134: The Elasticsearch dependency was upgraded to version 7.12 to remediate a document disclosure flaw when Document or Field Level Security was used.
CVE-2020-28491: The Jackson Dataformat XML dependency was upgraded to version 2.12.1 to remediate an unchecked allocation of byte buffers that could cause a java.lang.OutOfMemoryError exception.
CVE-2021-29425: The Apache Commons IO dependency was upgraded to version 2.8 to remediate an issue where an improper input string to a subdirectory could result in access to the parent directory.
CVE-2021-28657: The Apache Tika dependency was upgraded to version 1.26 to remediate an issue where a corrupt file could trigger an infinite loop in Tika's MP3Parser.
CVE-2020-27223, CVE-2021-28163, and CVE-2021-28165: The Eclipse Jetty dependency was updated to version 9.4.40.v20210413 to remediate a Denial of Service (DoS) vulnerability.
CVE-2020-13947 and CVE-2021-26117: The Apache ActiveMQ dependency was upgraded to version 5.16.2 to remediate a Cross-Site Scripting (XSS) vulnerability as well as a vulnerability that could result in a failure to check passwords.
CVE-2020-8554 and CVE-2020-8570: The Kubernetes API and Java client libraries were upgraded to remediate these vulnerabilities.
The JQuery dependencies were updated to resolve Cross-Site Scripting (XSS) vulnerabilities.

AnzoGraph Releases

AnzoGraph 2.5.17

CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.

AnzoGraph 2.5.15

CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate this vulnerability.

AnzoGraph 2.5.14

CVE-2022-2191: The Eclipse Jetty dependency for the frontend user interface was updated to version 11.0.14 to remediate this vulnerability.

AnzoGraph 2.5.12

SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.
GHSA-h4h5-3hr4-j3g2: The com.google.protobuf and woodstox-core dependencies were updated to remediate this vulnerability.

AnzoGraph 2.5.11

CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
CVE-2022-42003 and CVE-2022-42004: The FasterXML jackson-databind dependencies were updated to remediate these vulnerabilities.
CVE-2022-41853: To mitigate this vulnerability, the HyperSQL DataBase driver was removed from the product.
CVE-2022-36944: The Scala library was updated to version 2.13.9 to remediate this vulnerability.
CVE-2020-15250: The JUnit dependency was updated to version 4.13.1 to remediate this vulnerability.

AnzoGraph 2.5.10

CVE-2015-6420: The Apache Commons Collections (ACC) library (commons-collections) dependency was updated to remediate this vulnerability.
CVE-2022-25168: The Apache Hadoop file utility (hadoop-common) dependency was updated to remediate this vulnerability.
CVE-2022-2309: The python2-lxml dependency was updated to remediate this vulnerability.

AnzoGraph 2.5.8

CVE-2022-31129: The moment JavaScript library dependency in the AnzoGraph user interface was upgraded to remediate this vulnerability.

AnzoGraph 2.5.7

CVE-2021-0341: The unused Java component OkHostnameVerifier.java was removed from the AnzoGraph user interface to remediate this vulnerability.

AnzoGraph 2.5.6

CVE-2020-8908: Updated the GDI Guava dependency to remediate a temp directory creation vulnerability.
CVE-2021-22573: Updated the GDI com.google.oauth-client:google-oauth-client dependency to version 1.33.3 to remediate a vulnerability where the IDToken verifier did not verify if a token was properly signed.
CVE-2022-24823: Updated the GDI Netty IO dependency to version 4.1.77.Final to remediate this vulnerability.

AnzoGraph 2.5.5

CVE-2020-36518: The jackson-databind dependency for AnzoGraph extensions and the frontend user interface was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.

AnzoGraph 2.5.4

CVE-2021-3807: The ansi-regex dependency in the frontend user interface was updated to remediate an Inefficient Regular Expression Complexity vulnerability.
CVE-2022-0778: The MySQL driver was updated to remediate a Denial of Service (DoS) vulnerability related to certificate parsing.
CVE-2022-29078: The Embedded JavaScript templates package for Node.js, which is used in the frontend user interface, was updated to remediate a vulnerability that could allow server-side template injection.

AnzoGraph 2.5.3

CVE-2022-24785: The Moment.js JavaScript date library frontend user interface dependency was updated to remediate a path traversal vulnerability.
CVE-2020-15366, CVE-2021-3757, CVE-2021-3918, CVE-2021-23807: The Another JSON Schema Validator (AJV), json-schema, jsonpointer, and immer frontend user interface dependencies were updated to remediate "prototype pollution" vulnerabilities.
CVE-2021-23364, CVE-2021-27290, and CVE-2021-23382: The package browserslist, ssri, and postcss frontend user interface dependencies were updated to remediate a Regular Expression Denial of Service (ReDoS) vulnerability.
CVE-2021-3803: The nth-check frontend user interface dependency was updated to remediate an Inefficient Regular Expression Complexity vulnerability.

AnzoGraph 2.5.2

CVE-2020-36518: The jackson-databind dependency in the GDI and Neptune and Geospatial extensions was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
CVE-2021-3807 and CVE-2021-44906: The ansi-regex and Minimist dependencies in the AnzoGraph frontend container were updated to remediate vulnerabilities.
CVE-2022-25315: The Expat library for Red Hat Enterprise Linux and CentOS 7 was updated to remediate the integer overflow flaw in libexpat.

AnzoGraph 2.5.1

Updated 2.5.1 Docker Images

The following Docker images were re-released to resolve the vulnerabilities listed below:

docker.io/cambridgesemantics/anzograph-frontend:latest
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912-b202202242300
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
docker.io/cambridgesemantics/anzograph-frontend:2.5.1
docker.io/cambridgesemantics/anzograph-db:latest
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-db:2.5.1
docker.io/cambridgesemantics/anzograph:latest
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph:2.5.1
docker.io/cambridgesemantics/anzograph-devel:latest
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-devel:2.5.1

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Released 2.5.1 Red Hat Marketplace Images

The following release of Red Hat Marketplace images resolve the vulnerabilities listed below:

cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202282115
cambridgesemantics/anzograph:2.5.1-r202202161817-b202202282115

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Initial 2.5.1 Release of all Deployment Methods Except Red Hat Marketplace

CVE-2021-21290, CVE-2021-37137, CVE-2021-21409, CVE-2021-37136, CVE-2021-21295, and CVE-2021-43797: The Netty dependencies were upgraded to remediate the listed vulnerabilities.
CVE-2021-44832: The Apache Log4j 2 Java library was upgraded to version 2.17.1 to remediate a vulnerability related to a remote code execution (RCE) attack.
CVE-2021-22569: The protobuf-java dependency was upgraded to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-3712: The OpenSSL library dependencies were updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2020-25704, CVE-2020-36322, and CVE-2021-42739: The Linux kernel headers dependency was upgraded to remediate a heap-based buffer overflow flaw related to kernel drivers.

AnzoGraph 2.4.1

Updated 2.4.1 Docker Images

The following Docker images were re-released to resolve the vulnerabilities listed below:

docker.io/cambridgesemantics/anzograph-frontend:2.4.1-i202202051157-b202202242301
docker.io/cambridgesemantics/anzograph-frontend:2.4.1-i202202051157
docker.io/cambridgesemantics/anzograph-frontend:2.4.1
docker.io/cambridgesemantics/anzograph-db:2.4.1-r202111191354-b202202242301
docker.io/cambridgesemantics/anzograph-db:2.4.1-r202111191354
docker.io/cambridgesemantics/anzograph-db:2.4.1
docker.io/cambridgesemantics/anzograph:2.4.1-r202111191354-b202202242301
docker.io/cambridgesemantics/anzograph:2.4.1-r202111191354
docker.io/cambridgesemantics/anzograph:2.4.1
docker.io/cambridgesemantics/anzograph-devel:2.4.1-r202111191354-b202202242301
docker.io/cambridgesemantics/anzograph-devel:2.4.1-r202111191354
docker.io/cambridgesemantics/anzograph-devel:2.4.1

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Updated 2.4.1 Red Hat Marketplace Images

The following Red Hat Marketplace images were re-released to resolve the vulnerabilities listed below:

cambridgesemantics/anzograph-frontend:2.4.1-i202202051157-b202202282114
cambridgesemantics/anzograph-db:2.4.1-r202111191354-b202202282114
cambridgesemantics/anzograph:2.4.1-r202111191354-b202202282114

CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Initial 2.4.1 Release of all Deployment Methods

CVE-2021-21290, CVE-2021-37137, CVE-2021-21409, CVE-2021-37136, CVE-2021-21295, and CVE-2021-43797: The Netty dependencies were upgraded to remediate the listed vulnerabilities.
CVE-2021-44832: The Apache Log4j 2 Java library was upgraded to version 2.17.1 to remediate a vulnerability related to a remote code execution (RCE) attack.
CVE-2021-22569: The protobuf-java dependency was upgraded to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2021-3712: The OpenSSL library dependencies were updated to remediate a potential Denial of Service (DoS) vulnerability.
CVE-2020-25704, CVE-2020-36322, and CVE-2021-42739: The Linux kernel headers dependency was upgraded to remediate a heap-based buffer overflow flaw related to kernel drivers.

AnzoGraph 2.3.3, 2.4.0, 2.5.0

CVE-2021-33502: The normalize-url library that is used in the AnzoGraph front end user interface was upgraded to remediate a Regular Expression Denial of Service (ReDoS) CVE.
This issue does not affect most Anzo deployments because the AnzoGraph front end is typically not installed when AnzoGraph is integrated with Anzo.
CVE-2021-35517, CVE-2021-35516, and CVE-2021-35515: The Apache Commons Compress libraries (commons-compress and commons-io) that are used in the Graph Data Interface (GDI) plugin were upgraded.

AnzoGraph 2.1.8

CVE-2020-25649: The FasterXML Jackson Databind package that is used in the AnzoGraph Geospatial extension and front end user interface was upgraded to version 2.11.0 to remediate a vulnerability to XML external entity (XXE) attacks.
This issue does not affect most Anzo deployments because the Geospatial extension is not included by default in AnzoGraph "static" deployments that use the installer. The extension is included in dynamic, Kubernetes-based AnzoGraph deployments.