Patched Vulnerabilities
This page provides information about the common security vulnerabilities that were patched in Anzo and AnzoGraph releases.
Anzo Releases
Anzo 5.4.9
- CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
- CVE-2024-47561: The Apache Avro Java SDK dependency was upgraded to remediate this vulnerability.
- CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
- CVE-2020-2801, CVE-2023-41993:The Oracle JDK dependency was replaced with OpenJDK version 1.8 to remediate these vulnerabilities.
Anzo 5.4.8
- GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 package dependency was upgraded to remediate a potential DDoS attack vulnerability.
- CVE-2020-11971: The Apache Camel's JMX dependency was upgraded to remediate this Rebind Flaw vulnerability.
- CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this Oracle JDK vulnerability.
Anzo 5.4.7
- CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
- CVE-2024-2961: The glibc library dependency was updated to remediate this vulnerability.
Anzo 5.4.6
- CVE-2018-1320: The Apache Thrift Java client library dependency was updated to remediate this vulnerability.
- CVE-2023-6378: The logback receiver component of the logback dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2023-34054 and CVE-2023-34062: The Reactor Netty HTTP Server dependency was updated to remediate these vulnerabilities.
- CVE-2023-33202: The Bouncy Castle for Java dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2023-46673: The Elasticsearch dependency was updated as it was identified that malformed scripts used in the script processor of a pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
- GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 dependency for Anzo Distributed Unstructured was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.
Anzo 5.4.5
- CVE-2023-46604: The Apache ActiveMQ dependency was updated to remediate this possible remote code execution vulnerability.
- CVE-2023-39410: The Apache Avro dependency for Anzo Unstructured was updated to remediate this possible out of memory vulnerability.
- CVE-2023-41900, CVE-2023-36479, and CVE-2023-40167: The Eclipse Jetty dependency was updated to remediate these vulnerabilities.
- CVE-2022-44729 and CVE-2022-44730: The Apache XML Graphics Batik dependency was updated to remediate these possible Server-Side Request Forgery (SSRF) vulnerabilities.
- CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.
Anzo 5.4.2
- CVE-2023-24998: The Apache Commons FileUpload dependency for Anzo Unstructured was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2022-1471: Modified the SnakeYaml dependency for Anzo Unstructured to use the SafeConstructor when parsing content.
- CVE-2023-1370: The json-smart dependency was updated to remediate a possible stack overflow vulnerability.
- CVE-2023-1436: The Jettison dependency was updated to remediate this possible StackOverflowError vulnerability.
- CVE-2023-26048, CVE-2023-26049: The Jetty dependency was updated to remediate these vulnerabilities.
Anzo 5.4.1
- CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
- CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
- CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
- SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.
- CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
- CVE-2022-38900: The decode-uri-component dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.
Anzo 5.3.12
- CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
- CVE-2022-38900: The decode-uri-component dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to version 1.16 to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
- CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
- CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
- CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2022-45047: The Apache SSHD dependency was updated to version 2.9.2 to remediate this vulnerability.
- SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.
Anzo 5.3.11
- CVE-2022-42003: The FasterXML jackson-databind dependency was updated to remediate a possible resource exhaustion vulnerability.
- CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
- CVE-2022-40149 and CVE-2022-40150: The Jettison dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
- CVE-2022-3171: The protobuf dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2022-36944: The Scala library dependency for Anzo Unstructured was updated to remediate this possible deserialization of untrusted data vulnerability.
- CVE-2021-0341: The com.squareup.okhttp dependency for Anzo Unstructured was updated to remediate this possible improper certificate validation vulnerability.
- CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, and CVE-2022-38752: The snakeYAML dependency for Anzo Unstructured was updated to remediate these possible Denial of Service (DoS) vulnerabilities.
- CVE-2022-36033: The jsoup dependency for Anzo Unstructured was updated to remediate this possible cross-site scripting (XSS) vulnerability.
- CVE-2018-12536: The Eclipse Jetty Server dependency for Anzo Unstructured was updated to remediate this vulnerability.
- CVE-2022-33879: The org.apache.tika dependency for Anzo Unstructured was updated to remediate this vulnerability.
Anzo 5.3.10
- CVE-2022-36033: The jsoup Java HTML parser dependency was updated to version 1.15.3 to remediate a cross-site scripting (XSS) vulnerability.
- CVE-2022-25857: The org.yaml:snakeyaml dependency was updated to version 1.31 to remediate a Denial of Service (DoS) vulnerability.
- CVE-2022-34169: The Apache Xalan Java XSLT library was removed to avoid an integer truncation issue that could occur when processing malicious XSLT stylesheets.
- Several Anzo Distributed Unstructured dependencies were updated to remediate the following vulnerabilities:
CVE-2019-20444, CVE-2021-37136, CVE-2021-35516, CVE-2018-1000632, CVE-2021-21290, CVE-2021-28657, CVE-2019-20445, CVE-2021-37137, CVE-2021-35517, CVE-2014-0114, CVE-2012-5783, CVE-2022-25169, CVE-2019-17571, CVE-2020-7238, CVE-2021-36090, CVE-2012-0881, CVE-2021-29425, CVE-2022-30126, CVE-2022-23305, CVE-2021-29505, CVE-2020-11988, CVE-2013-4002, CVE-2021-28169, CVE-2022-30973, CVE-2021-27568, CVE-2021-43859, CVE-2018-10936, CVE-2020-13956, CVE-2020-15250, CVE-2021-27807, CVE-2022-21724, CVE-2022-23302, CVE-2020-13692, CVE-2020-15522, CVE-2018-11771, CVE-2021-27906, CVE-2019-13990, CVE-2022-23307, CVE-2022-25647, CVE-2020-0187, CVE-2018-1324, CVE-2021-31811, CVE-2020-10683, CVE-2021-4104, CVE-2020-9492, CVE-2020-26939, CVE-2018-10237, CVE-2021-31812, CVE-2017-18640, CVE-2021-33813, CVE-2019-14262, CVE-2021-22569, CVE-2020-1950, CVE-2022-26336, CVE-2020-28491, CVE-2020-13936, CVE-2022-23596, CVE-2021-43797, CVE-2020-1951, CVE-2019-12415, CVE-2022-25647, CVE-2021-35515, CVE-2022-2048, CVE-2021-21295, CVE-2020-9489, CVE-2022-24613, CVE-2019-17573, CVE-2020-13954, CVE-2019-12406, CVE-2020-1945, CVE-2021-36373, CVE-2022-24614, CVE-2009-2625, CVE-2021-34428, and CVE-2021-36374.
Anzo 5.3.9
- CVE-2022-2047: The Eclipse jetty dependency was updated to version 9.4.46 to remediate a vulnerability that could lead to failures in a Proxy scenario.
- CVE-2022-33980: The Apache Commons Configuration (commons-configuration) dependency was updated to version 2.8 to remediate this vulnerability.
Anzo 5.3.8
- CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.3 to remediate a BPG parser vulnerability.
- CVE-2022-31129: The moment JavaScript library dependency was upgraded to remediate this vulnerability.
Anzo 5.3.6
- CVE-2021-21409, CVE-2021-21295, CVE-2021-21290, CVE-2021-37137, CVE-2021-37136, and CVE-2021-43797: The Netty gRPC dependency library (grpc-netty-shaded) was updated to version 4.1.72 to remediate the listed vulnerabilities.
- CVE-2021-43797, CVE-2022-24823, CVE-2021-37136, and CVE-2021-37137: The Netty IO dependency library (io.netty.*) was updated to version 4.1.77 to remediate the listed vulnerabilities.
- CVE-2021-22569: The protobuf-java dependency library was updated to version 3.8.2 to resolve this vulnerability.
- CVE-2018-1337: The Apache Directory LDAP API dependency was updated to version 1.0.3 to remediate this vulnerability.
- CVE-2021-41973: The Apache MINA dependency was updated to version 2.0.23 to remediate this vulnerability.
- CVE-2019-10101 and CVE-2020-29582: The JetBrains Kotlin dependency was updated to version 1.6.21 to remediate these potential man-in-the-middle (MITM) vulnerabilities.
- CVE-2019-0809: The Anzo CData JDBC and ODBC drivers were updated to remediate a Visual Studio remote code execution vulnerability.
- CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.2 to remediate a BPG parser vulnerability.
- CVE-2021-22573: The com.google.oauth-client dependency was updated to version 1.31.3 to remediate an IDToken verifier vulnerability.
- CVE-2022-25647: The com.google.code.gson:gson package was updated to version 2.8.9 to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2021-22112, CVE-2019-3795, CVE-2021-22096, CVE-2016-1000027, CVE-2022-22950, and CVE-2022-22965: The Spring Framework dependencies were updated to version 5.3.19_1 to remediate the listed vulnerabilities.
- CVE-2019-16869, CVE-2019-20444, CVE-2019-20445, CVE-2021-21290, CVE-2021-21295, CVE-2021-21409, CVE-2021-37136, CVE-2021-37137, and CVE-2021-43797: The Netty IO dependency library for the Anzo Unstructured software was updated to remediate the listed vulnerabilities.
- CVE-2021-44878: The Pac4j dependency was updated to version 5.3.0 to remediate an OpenID Connect provider vulnerability.
- CVE-2022-24721: The CometD dependency was updated to version 5.0.11 to remediate a vulnerability where a remote user could have subscribed to the Oort and Seti channels and watched internal network traffic.
- CVE-2021-42550: The logback-core dependency was updated to version 1.2.9 to remediate a potential vulnerability that could have allowed an attacker to craft a malicious configuration.
- CVE-2021-42392 and CVE-2022-23221: The H2 database dependency was updated to version 2.1.212 to remediate an unauthenticated remote code execution vulnerability.
- CVE-2022-26336: The Apache POI (poi-scratchpad) dependency was updated to version 5.2.2 to remediate an Out of Memory exception vulnerability.
- CVE-2022-26612: The Apache Hadoop dependency was updated to version 3.2.3 to remediate a symlink vulnerability.
- CVE-2020-36518: The jackson-databind dependency was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
- CVE-2017-7658, CVE-2017-7657, and CVE-2018-7489: The shaded classes were removed from the EHCache dependencies to remediate the listed vulnerabilities.
- Fixed CVE-2018-25032, CVE-2022-0778, CVE-2021-23222, CVE-2021-3634, CVE-2021-23177, CVE-2021-31566, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, and CVE-2022-23308: The Anzo dynamic K8s fluent-bit component was updated to resolve the listed vulnerabilities.
- CVE-2021-41184, CVE-2021-41183, and CVE-2021-41182: The JQuery-UI library was updated to remediate the listed vulnerabilities.
- CVE-2021-23337, CVE-2020-28500, CVE-2020-8203, CVE-2019-10744, CVE-2019-1010266, CVE-2018-16487, CVE-2018-3721, and CWE-400: The Lodash dependency was updated to remediate the listed vulnerabilities.
Anzo 5.3.4
- CVE-2021-22144, CVE-2021-22145, and CVE-2021-22147: The Elasticsearch dependencies were updated to version 7.14.1 to resolve the listed vulnerabilities.
- CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, and CVE-2021-36090: The Apache Commons Compress (org.apache.commons.commons-compress) library was updated to version 1.21.0 to remediate Denial of Service (DoS) vulnerabilities.
- CVE-2021-34429: The Eclipse Jetty dependency was updated to version 9.4.43.v20210629 to remediate a security constraint vulnerability.
- CVE-2021-37714: The jsoup Java library was updated to version 1.14.2 to remediate Denial of Service (DoS) vulnerability.
- CVE-2021-41616: The unused Apache DB DdlUtils (org.apache.ddlutils) .jar file was removed from Anzo to remediate this vulnerability.
- The netty dependency was updated to version 4.1.70.
Anzo 5.3.2
The following vulnerabilities were remediated in Anzo Unstructured Leader and Worker software dependencies.
- The Data Mapper and Data Binding packages for Jackson were upgraded to remediate the following vulnerabilities:
CVE-2017-7525, CVE-2018-14718, CVE-2018-7489, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-1000873, CVE-2019-14893, CVE-2019-14540, CVE-2019-16335, CVE-2019-17267, CVE-2019-20330, CVE-2019-16943, CVE-2019-16942, CVE-2019-17531, CVE-2019-14892, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-35490, CVE-2020-35491, CVE-2020-25649, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2021-20190, CVE-2020-35728, and CVE-2020-36179 through 36189.
- CVE-2016-5007, CVE-2016-9878, CVE-2018-1271, CVE-2018-1272, CVE-2018-1273, and CVE-2018-15756: The Spring Data Commons package was upgraded to remediate the listed vulnerabilities.
- CVE-2018-1270: The Spring Framework package was upgraded to remediate a remote code execution vulnerability.
- CVE-2019-17195: The Nimbus JOSE + JWT library was upgraded to remediate an issue with uncaught exceptions that had a potential authentication bypass vulnerability.
- CVE-2019-20444, CVE-2019-20445, and CVE-2019-16869: The Netty dependency was upgraded to remediate a vulnerability with inconsistent interpretation of HTTP requests (HTTP Request Smuggling).
- CVE-2021-27568: The Json-smart dependency was upgraded to remediate an improper check for unusual or exceptional conditions.
- CVE-2015-6748 and CVE-2021-37714: The Java HTML Parser library, jsoup, was upgraded to remediate a Cross-Site Scripting (XSS) and possible Denial of Service (DoS) vulnerability.
- CVE-2020-26939: The Bouncy Castle dependency was upgraded to remediate observable differences in behavior to error inputs.
- CVE-2017-15288: The Scala compilation daemon dependency was upgraded to remediate an incorrect permission assignment for critical resource vulnerability.
- CVE-2020-9492: The Apache Hadoop dependency was upgraded to remediate an incorrect authorization vulnerability.
- CVE-2019-10086: The Apache Commons Beanutils dependency was upgraded to remediate a deserialization flaw.
Anzo 5.3.0
- CVE-2021-22134: The Elasticsearch dependency was upgraded to version 7.12 to remediate a document disclosure flaw when Document or Field Level Security was used.
- CVE-2020-28491: The Jackson Dataformat XML dependency was upgraded to version 2.12.1 to remediate an unchecked allocation of byte buffers that could cause a java.lang.OutOfMemoryError exception.
- CVE-2021-29425: The Apache Commons IO dependency was upgraded to version 2.8 to remediate an issue where an improper input string to a subdirectory could result in access to the parent directory.
- CVE-2021-28657: The Apache Tika dependency was upgraded to version 1.26 to remediate an issue where a corrupt file could trigger an infinite loop in Tika's MP3Parser.
- CVE-2020-27223, CVE-2021-28163, and CVE-2021-28165: The Eclipse Jetty dependency was updated to version 9.4.40.v20210413 to remediate a Denial of Service (DoS) vulnerability.
- CVE-2020-13947 and CVE-2021-26117: The Apache ActiveMQ dependency was upgraded to version 5.16.2 to remediate a Cross-Site Scripting (XSS) vulnerability as well as a vulnerability that could result in a failure to check passwords.
- CVE-2020-8554 and CVE-2020-8570: The Kubernetes API and Java client libraries were upgraded to remediate these vulnerabilities.
- The JQuery dependencies were updated to resolve Cross-Site Scripting (XSS) vulnerabilities.
AnzoGraph Releases
AnzoGraph 3.1.5
- CVE-2024-47554: The Apache Commons IO dependency of the Neptune extension library of AnzoGraph DB was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
- CVE-2024-48910: The DOMPurify dependency was upgraded to version 2.4.2 to remediate this Prototype Pollution vulnerability.
AnzoGraph 3.1.4
- CVE-2024-34156: The encoding/gob package dependency was updated to remediate this stack exhaustion vulnerability (Go upgraded to version 1.23.1).
- CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
- CVE-2024-45801: The DOMPurify dependency was upgraded to remediate this XSS attack vulnerability.
- CVE-2024-43591: The Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability was remediated.
- CVE-2024-2398: The libcurl dependency was upgraded from version 8.1.2 to 8.10.1 to further remediate this HTTP/2 push headers memory-leak vulnerability.
- CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
- CVE-2024-8184: The Eclipse jetty dependency was updated to version 12.0.12 to remediate a potential remote Denial of Service (DoS) attack vulnerability.
AnzoGraph 3.1.3
- CVE-2024-2398: The libcurl dependency was updated to remediate this HTTP/2 push headers memory-leak vulnerability.
- CVE-2024-6345: The pypa/setuptools dependency was upgraded to remediate this vulnerability.
AnzoGraph 3.1.2
- CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).
- CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
- CVE-2023-6597: The CPython dependency for the frontend user interface was updated to remediate this tempfile.TemporaryDirectory class vulnerability.
- CVE-2023-52424: A dependency for the frontend user interface was updated to remediate the SSID Confusion Attack vulnerability.
- CVE-2024-24788: A golang dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).
AnzoGraph 3.1.1
- CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this vulnerability.
- CVE-2024-29857 and CVE-2024-30172: The BC Java, BC Java LTS, BC-FJA, and BC C# .Net dependencies for the frontend user interface were updated to remediate these vulnerabilities.
- CVE-2024-33601, CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961: The glibc library dependencies for all containers were updated to remediate these vulnerabilities.
AnzoGraph 3.1.0
- CVE-2024-22201: The Jetty dependency for the frontend user interface was updated to remediate this vulnerability.
- CVE-2023-32200: The Apache Jena dependency for the frontend user interface was updated to remediate this vulnerability.
- CVE-2024-25710 and CVE-2024-26308: The Apache Commons dependency for the frontend user interface was updated to remediate these vulnerabilities.
- CVE-2023-32067: The c-ares dependency library was updated to remediate a possible Denial of Service (DoS) vulnerability.
- CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
- CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
- CVE-2022-46175: The JSON5 dependency for the frontend user interface was updated to remediate this vulnerability.
- CVE-2022-31129: The moment JavaScript library dependency for the frontend user interface was upgraded to remediate this vulnerability.
- CVE-2021-0341: The com.squareup.okhttp dependency for the frontend user interface was updated to remediate this possible improper certificate validation vulnerability.
- CVE-2020-21469: The PostgreSQL dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.
- GHSA-v78c-4p63-2j6c: The moment-timezone dependency for the frontend user interface was updated to remediate this vulnerability.
- GHSA-xpw8-rcwv-8f8p: The Netty dependency for the frontend user interface was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.
- The Eclipse Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:
GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-2191, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.
- SONATYPE-2022-4402: The Postgres JDBC driver was updated to remediate this possible SQL injection vulnerability.
- SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.
AnzoGraph 2.5.22
- CVE-2022-30187: Azure Storage client library dependencies were updated to remediate the Azure Storage Library Information Disclosure Vulnerability.
- CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.
- CVE-2024-29025: The io.netty:netty-codec-http dependency was updated to remediate this HttpPostRequestDecoder out-of-memory vulnerability.
- CVE-2024-29131 and CVE-2024-29133: The Apache Commons Configuration dependency was updated to remediate this Out-of-bounds Write vulnerability.
- CVE-2023-52428: The Connect2id Nimbus JOSE+JWT dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
AnzoGraph 2.5.21
- CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
- CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
- CVE-2023-45283: The golang path/filepath package dependency was updated to remediate this vulnerability.
- CVE-2024-24791: The golang net/http HTTP/1.1 client dependency for AnzoGraphDB and frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
- GHSA-58qw-p7qm-5rvh: The Eclipse Jetty dependency was updated to remediate this XmlParser XML external entity (XXE) vulnerability.
- CVE-2022-36944: The Scala dependency for AnzoGraphDB was upgraded to remediate this vulnerability.
AnzoGraph 2.5.20
- CVE-2023-46234: The cryptographic signature verification issue caused by the browserify-sign package dependency for the frontend user interface was remediated.
- CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this vulnerability.
- CVE-2024-26308 and CVE-2024-25710: The Apache Commons Compress dependencies for AnzoGraphDB were updated to remediate these vulnerabilities.
- GHSA-xpw8-rcwv-8f8p: The netty-codec-http2 dependency for AnzoGraphDB and frontend user interface was updated to remediate the HTTP/2 Rapid Reset Attack vulnerability.
- CVE-2022-21698, CVE-2023-39325, CVE-2021-44716, CVE-2022-32149, CVE-2022-28948, CVE-2022-27664, and CVE-2022-41723: The golang dependencies for the AnzoGraph operator (client_golang, net/http, golang.org/x/net/http2, Go-Yaml) were updated to remediate these vulnerabilities.
- GHSA-m425-mq94-257g: The gRPC-Go dependency for the AnzoGraph (golang) client was updated to remediate the HTTP/2 Rapid Reset Attack vulnerability.
- CVE-2023-46233: The configuration of crypto-js JavaScript library for the frontend user interface was updated to remediate this vulnerability.
- CVE-2024-22201, CVE-2024-25710, CVE-2024-26308, and CVE-2023-32200: The Eclipse Jetty, Apache Commons Compress, and Apache Jena dependencies for the frontend user interface were updated to remediate these vulnerabilities.
- CVE-2024-29857 and CVE-2024-30172: The BC Java, BC Java LTS, BC-FJA, and BC C# .Net dependencies for the frontend user interface were updated to remediate these vulnerabilities.
- CVE-2024-33601, CVE-2024-33599, CVE-2024-33600, CVE-2024-33602, CVE-2024-2961, CVE-2023-4813, CVE-2023-4806, CVE-2023-4527, and CVE-2023-4911: The glibc library dependencies for all containers were updated to remediate these vulnerabilities.
AnzoGraph 2.5.19
The Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:
GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.
AnzoGraph 2.5.17
- CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.
AnzoGraph 2.5.15
- CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.
AnzoGraph 2.5.14
- CVE-2022-2191: The Eclipse Jetty dependency for the frontend user interface was updated to version 11.0.14 to remediate this vulnerability.
AnzoGraph 2.5.12
- SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.
- GHSA-h4h5-3hr4-j3g2: The com.google.protobuf and woodstox-core dependencies were updated to remediate this vulnerability.
AnzoGraph 2.5.11
- CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
- CVE-2022-42003 and CVE-2022-42004: The FasterXML jackson-databind dependencies were updated to remediate these vulnerabilities.
- CVE-2022-41853: To mitigate this vulnerability, the HyperSQL DataBase driver was removed from the product.
- CVE-2022-36944: The Scala library was updated to version 2.13.9 to remediate this vulnerability.
- CVE-2020-15250: The JUnit dependency was updated to version 4.13.1 to remediate this vulnerability.
AnzoGraph 2.5.10
- CVE-2015-6420: The Apache Commons Collections (ACC) library (commons-collections) dependency was updated to remediate this vulnerability.
- CVE-2022-25168: The Apache Hadoop file utility (hadoop-common) dependency was updated to remediate this vulnerability.
- CVE-2022-2309: The python2-lxml dependency was updated to remediate this vulnerability.
AnzoGraph 2.5.8
- CVE-2022-31129: The moment JavaScript library dependency in the AnzoGraph user interface was upgraded to remediate this vulnerability.
AnzoGraph 2.5.7
- CVE-2021-0341: The unused Java component OkHostnameVerifier.java was removed from the AnzoGraph user interface to remediate this vulnerability.
AnzoGraph 2.5.6
- CVE-2020-8908: Updated the GDI Guava dependency to remediate a temp directory creation vulnerability.
- CVE-2021-22573: Updated the GDI com.google.oauth-client:google-oauth-client dependency to version 1.33.3 to remediate a vulnerability where the IDToken verifier did not verify if a token was properly signed.
- CVE-2022-24823: Updated the GDI Netty IO dependency to version 4.1.77.Final to remediate this vulnerability.
AnzoGraph 2.5.5
- CVE-2020-36518: The jackson-databind dependency for AnzoGraph extensions and the frontend user interface was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
AnzoGraph 2.5.4
- CVE-2021-3807: The ansi-regex dependency in the frontend user interface was updated to remediate an Inefficient Regular Expression Complexity vulnerability.
- CVE-2022-0778: The MySQL driver was updated to remediate a Denial of Service (DoS) vulnerability related to certificate parsing.
- CVE-2022-29078: The Embedded JavaScript templates package for Node.js, which is used in the frontend user interface, was updated to remediate a vulnerability that could allow server-side template injection.
AnzoGraph 2.5.3
- CVE-2022-24785: The Moment.js JavaScript date library frontend user interface dependency was updated to remediate a path traversal vulnerability.
- CVE-2020-15366, CVE-2021-3757, CVE-2021-3918, CVE-2021-23807: The Another JSON Schema Validator (AJV), json-schema, jsonpointer, and immer frontend user interface dependencies were updated to remediate "prototype pollution" vulnerabilities.
- CVE-2021-23364, CVE-2021-27290, and CVE-2021-23382: The package browserslist, ssri, and postcss frontend user interface dependencies were updated to remediate a Regular Expression Denial of Service (ReDoS) vulnerability.
- CVE-2021-3803: The nth-check frontend user interface dependency was updated to remediate an Inefficient Regular Expression Complexity vulnerability.
AnzoGraph 2.5.2
- CVE-2020-36518: The jackson-databind dependency in the GDI and Neptune and Geospatial extensions was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
- CVE-2021-3807 and CVE-2021-44906: The ansi-regex and Minimist dependencies in the AnzoGraph frontend container were updated to remediate vulnerabilities.
- CVE-2022-25315: The Expat library for Red Hat Enterprise Linux and CentOS 7 was updated to remediate the integer overflow flaw in libexpat.
AnzoGraph 2.5.1
Updated 2.5.1 Docker Images
The following Docker images were re-released to resolve the vulnerabilities listed below:
docker.io/cambridgesemantics/anzograph-frontend:latest docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912-b202202242300 docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912 docker.io/cambridgesemantics/anzograph-frontend:2.5.1 docker.io/cambridgesemantics/anzograph-db:latest docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202242300 docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817 docker.io/cambridgesemantics/anzograph-db:2.5.1 docker.io/cambridgesemantics/anzograph:latest docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817-b202202242300 docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817 docker.io/cambridgesemantics/anzograph:2.5.1 docker.io/cambridgesemantics/anzograph-devel:latest docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817-b202202242300 docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817 docker.io/cambridgesemantics/anzograph-devel:2.5.1
- CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
- CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.
Released 2.5.1 Red Hat Marketplace Images
The following release of Red Hat Marketplace images resolve the vulnerabilities listed below:
cambridgesemantics/anzograph-frontend:2.5.1-i202202151912 cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202282115 cambridgesemantics/anzograph:2.5.1-r202202161817-b202202282115
- CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
- CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.
Initial 2.5.1 Release of all Deployment Methods Except Red Hat Marketplace
- CVE-2021-21290, CVE-2021-37137, CVE-2021-21409, CVE-2021-37136, CVE-2021-21295, and CVE-2021-43797: The Netty dependencies were upgraded to remediate the listed vulnerabilities.
- CVE-2021-44832: The Apache Log4j 2 Java library was upgraded to version 2.17.1 to remediate a vulnerability related to a remote code execution (RCE) attack.
- CVE-2021-22569: The protobuf-java dependency was upgraded to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2021-3712: The OpenSSL library dependencies were updated to remediate a potential Denial of Service (DoS) vulnerability.
- CVE-2020-25704, CVE-2020-36322, and CVE-2021-42739: The Linux kernel headers dependency was upgraded to remediate a heap-based buffer overflow flaw related to kernel drivers.