Patched Vulnerabilities

This page provides information about the common security vulnerabilities that were patched in Anzo and AnzoGraph releases.

Anzo Releases AnzoGraph Releases

Anzo Releases

Anzo 5.4.9

  • CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
  • CVE-2024-47561: The Apache Avro Java SDK dependency was upgraded to remediate this vulnerability.
  • CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2020-2801, CVE-2023-41993:The Oracle JDK dependency was replaced with OpenJDK version 1.8 to remediate these vulnerabilities.

Anzo 5.4.8

  • GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 package dependency was upgraded to remediate a potential DDoS attack vulnerability.
  • CVE-2020-11971: The Apache Camel's JMX dependency was upgraded to remediate this Rebind Flaw vulnerability.
  • CVE-2024-21634: The ion-java dependency for AnzoGraphDB was updated to remediate this Oracle JDK vulnerability.

Anzo 5.4.7

  • CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
  • CVE-2024-2961: The glibc library dependency was updated to remediate this vulnerability.

Anzo 5.4.6

  • CVE-2018-1320: The Apache Thrift Java client library dependency was updated to remediate this vulnerability.
  • CVE-2023-6378: The logback receiver component of the logback dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2023-34054 and CVE-2023-34062: The Reactor Netty HTTP Server dependency was updated to remediate these vulnerabilities.
  • CVE-2023-33202: The Bouncy Castle for Java dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2023-46673: The Elasticsearch dependency was updated as it was identified that malformed scripts used in the script processor of a pipeline could cause an Elasticsearch node to crash when calling the Simulate Pipeline API.
  • GHSA-xpw8-rcwv-8f8p: The io.netty:netty-codec-http2 dependency for Anzo Distributed Unstructured was updated to remediate this possible HTTP/2 Rapid Reset Attack vulnerability.

Anzo 5.4.5

  • CVE-2023-46604: The Apache ActiveMQ dependency was updated to remediate this possible remote code execution vulnerability.
  • CVE-2023-39410: The Apache Avro dependency for Anzo Unstructured was updated to remediate this possible out of memory vulnerability.
  • CVE-2023-41900, CVE-2023-36479, and CVE-2023-40167: The Eclipse Jetty dependency was updated to remediate these vulnerabilities.
  • CVE-2022-44729 and CVE-2022-44730: The Apache XML Graphics Batik dependency was updated to remediate these possible Server-Side Request Forgery (SSRF) vulnerabilities.
  • CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.

Anzo 5.4.2

  • CVE-2023-24998: The Apache Commons FileUpload dependency for Anzo Unstructured was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2022-1471: Modified the SnakeYaml dependency for Anzo Unstructured to use the SafeConstructor when parsing content.
  • CVE-2023-1370: The json-smart dependency was updated to remediate a possible stack overflow vulnerability.
  • CVE-2023-1436: The Jettison dependency was updated to remediate this possible StackOverflowError vulnerability.
  • CVE-2023-26048, CVE-2023-26049: The Jetty dependency was updated to remediate these vulnerabilities.

Anzo 5.4.1

  • CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
  • CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
  • CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
  • SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.
  • CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
  • CVE-2022-38900: The decode-uri-component dependency was updated to remediate this possible Denial of Service (DoS) vulnerability.

Anzo 5.3.12

  • CVE-2022-25168: The Apache Hadoop file utility dependency was updated to version 3.3.4 to remediate this vulnerability.
  • CVE-2022-38900: The decode-uri-component dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to version 1.16 to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
  • CVE-2022-1471: Modified the SnakeYaml dependency to use the SafeConstructor when parsing content.
  • CVE-2022-40152: The Woodstox dependency was updated to version 6.4.0 to remediate a potential Denial of Service (DoS) vulnerability.
  • CVE-2021-37533: The Apache Commons Net dependency was updated to version 3.9.0 to remediate this vulnerability.
  • CVE-2022-40150: The Jettison dependency was updated to version 1.5.3 to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2022-45047: The Apache SSHD dependency was updated to version 2.9.2 to remediate this vulnerability.
  • SONATYPE-2019-0870, SONATYPE-2021-0887, SONATYPE-2019-0992, and SONATYPE-2014-0257: The freemarker, passay, jcommander, and javaassit dependencies were updated to remediate these vulnerabilities.

Anzo 5.3.11

  • CVE-2022-42003: The FasterXML jackson-databind dependency was updated to remediate a possible resource exhaustion vulnerability.
  • CVE-2022-40146, CVE-2022-38398, CVE-2022-38648, CVE-2022-41704, and CVE-2022-42890: The Batik of Apache XML Graphics dependency was updated to remediate a Server-Side Request Forgery (SSRF) vulnerability as well as a vulnerability that could allow an attacker to run Java code from untrusted SVG via JavaScript.
  • CVE-2022-40149 and CVE-2022-40150: The Jettison dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
  • CVE-2022-3171: The protobuf dependency was updated to remediate a possible Denial of Service (DoS) vulnerability.
  • CVE-2022-36944: The Scala library dependency for Anzo Unstructured was updated to remediate this possible deserialization of untrusted data vulnerability.
  • CVE-2021-0341: The com.squareup.okhttp dependency for Anzo Unstructured was updated to remediate this possible improper certificate validation vulnerability.
  • CVE-2022-25857, CVE-2022-38749, CVE-2022-38750, CVE-2022-38751, and CVE-2022-38752: The snakeYAML dependency for Anzo Unstructured was updated to remediate these possible Denial of Service (DoS) vulnerabilities.
  • CVE-2022-36033: The jsoup dependency for Anzo Unstructured was updated to remediate this possible cross-site scripting (XSS) vulnerability.
  • CVE-2018-12536: The Eclipse Jetty Server dependency for Anzo Unstructured was updated to remediate this vulnerability.
  • CVE-2022-33879: The org.apache.tika dependency for Anzo Unstructured was updated to remediate this vulnerability.

Anzo 5.3.10

Anzo 5.3.9

  • CVE-2022-2047: The Eclipse jetty dependency was updated to version 9.4.46 to remediate a vulnerability that could lead to failures in a Proxy scenario.
  • CVE-2022-33980: The Apache Commons Configuration (commons-configuration) dependency was updated to version 2.8 to remediate this vulnerability.

Anzo 5.3.8

  • CVE-2022-25169: The Apache Tika dependency was updated to version 1.28.3 to remediate a BPG parser vulnerability.
  • CVE-2022-31129: The moment JavaScript library dependency was upgraded to remediate this vulnerability.

Anzo 5.3.6

Anzo 5.3.4

  • CVE-2021-22144, CVE-2021-22145, and CVE-2021-22147: The Elasticsearch dependencies were updated to version 7.14.1 to resolve the listed vulnerabilities.
  • CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, and CVE-2021-36090: The Apache Commons Compress (org.apache.commons.commons-compress) library was updated to version 1.21.0 to remediate Denial of Service (DoS) vulnerabilities.
  • CVE-2021-34429: The Eclipse Jetty dependency was updated to version 9.4.43.v20210629 to remediate a security constraint vulnerability.
  • CVE-2021-37714: The jsoup Java library was updated to version 1.14.2 to remediate Denial of Service (DoS) vulnerability.
  • CVE-2021-41616: The unused Apache DB DdlUtils (org.apache.ddlutils) .jar file was removed from Anzo to remediate this vulnerability.
  • The netty dependency was updated to version 4.1.70.

Anzo 5.3.2

The following vulnerabilities were remediated in Anzo Unstructured Leader and Worker software dependencies.

Anzo 5.3.0

  • CVE-2021-22134: The Elasticsearch dependency was upgraded to version 7.12 to remediate a document disclosure flaw when Document or Field Level Security was used.
  • CVE-2020-28491: The Jackson Dataformat XML dependency was upgraded to version 2.12.1 to remediate an unchecked allocation of byte buffers that could cause a java.lang.OutOfMemoryError exception.
  • CVE-2021-29425: The Apache Commons IO dependency was upgraded to version 2.8 to remediate an issue where an improper input string to a subdirectory could result in access to the parent directory.
  • CVE-2021-28657: The Apache Tika dependency was upgraded to version 1.26 to remediate an issue where a corrupt file could trigger an infinite loop in Tika's MP3Parser.
  • CVE-2020-27223, CVE-2021-28163, and CVE-2021-28165: The Eclipse Jetty dependency was updated to version 9.4.40.v20210413 to remediate a Denial of Service (DoS) vulnerability.
  • CVE-2020-13947 and CVE-2021-26117: The Apache ActiveMQ dependency was upgraded to version 5.16.2 to remediate a Cross-Site Scripting (XSS) vulnerability as well as a vulnerability that could result in a failure to check passwords.
  • CVE-2020-8554 and CVE-2020-8570: The Kubernetes API and Java client libraries were upgraded to remediate these vulnerabilities.
  • The JQuery dependencies were updated to resolve Cross-Site Scripting (XSS) vulnerabilities.

AnzoGraph Releases

AnzoGraph 3.1.5

  • CVE-2024-47554: The Apache Commons IO dependency of the Neptune extension library of AnzoGraph DB was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2024-48910: The DOMPurify dependency was upgraded to version 2.4.2 to remediate this Prototype Pollution vulnerability.

AnzoGraph 3.1.4

  • CVE-2024-34156: The encoding/gob package dependency was updated to remediate this stack exhaustion vulnerability (Go upgraded to version 1.23.1).
  • CVE-2024-7254: The Protocol Buffers parser dependency was updated to remediate this improper input validation vulnerability.
  • CVE-2024-45801: The DOMPurify dependency was upgraded to remediate this XSS attack vulnerability.
  • CVE-2024-43591: The Azure Command Line Integration (CLI) Elevation of Privilege Vulnerability was remediated.
  • CVE-2024-2398: The libcurl dependency was upgraded from version 8.1.2 to 8.10.1 to further remediate this HTTP/2 push headers memory-leak vulnerability.
  • CVE-2024-47554: The Apache Commons IO dependency was upgraded to version 2.15.1 to remediate this Uncontrolled Resource Consumption vulnerability.
  • CVE-2024-8184: The Eclipse jetty dependency was updated to version 12.0.12 to remediate a potential remote Denial of Service (DoS) attack vulnerability.

AnzoGraph 3.1.3

  • CVE-2024-2398: The libcurl dependency was updated to remediate this HTTP/2 push headers memory-leak vulnerability.
  • CVE-2024-6345: The pypa/setuptools dependency was upgraded to remediate this vulnerability.

AnzoGraph 3.1.2

  • CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).
  • CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
  • CVE-2023-6597: The CPython dependency for the frontend user interface was updated to remediate this tempfile.TemporaryDirectory class vulnerability.
  • CVE-2023-52424: A dependency for the frontend user interface was updated to remediate the SSID Confusion Attack vulnerability.
  • CVE-2024-24788: A golang dependency was updated to remediate this vulnerability (Go upgraded to version 1.22.4).

AnzoGraph 3.1.1

AnzoGraph 3.1.0

AnzoGraph 2.5.22

  • CVE-2022-30187: Azure Storage client library dependencies were updated to remediate the Azure Storage Library Information Disclosure Vulnerability.
  • CVE-2023-2976: The Google Guava dependency was updated to remediate this vulnerability.
  • CVE-2024-29025: The io.netty:netty-codec-http dependency was updated to remediate this HttpPostRequestDecoder out-of-memory vulnerability.
  • CVE-2024-29131 and CVE-2024-29133: The Apache Commons Configuration dependency was updated to remediate this Out-of-bounds Write vulnerability.
  • CVE-2023-52428: The Connect2id Nimbus JOSE+JWT dependency was updated to remediate a potential Denial of Service (DoS) vulnerability.

AnzoGraph 2.5.21

  • CVE-2024-24790: The golang net/netip package dependency was updated to remediate this vulnerability.
  • CVE-2023-45288: The golang net/http and x/net/http2 package dependencies were updated to remediate this HTTP/2 CONTINUATION Flood vulnerability.
  • CVE-2023-45283: The golang path/filepath package dependency was updated to remediate this vulnerability.
  • CVE-2024-24791: The golang net/http HTTP/1.1 client dependency for AnzoGraphDB and frontend user interface was updated to remediate a potential Denial of Service (DoS) vulnerability.
  • GHSA-58qw-p7qm-5rvh: The Eclipse Jetty dependency was updated to remediate this XmlParser XML external entity (XXE) vulnerability.
  • CVE-2022-36944: The Scala dependency for AnzoGraphDB was upgraded to remediate this vulnerability.

AnzoGraph 2.5.20

AnzoGraph 2.5.19

The Jetty dependency for the frontend user interface was updated to remediate the following vulnerabilities:

GHSA-jjjh-jjxp-wpff, GHSA-rgv9-q543-rqg4, GHSA-wgh7-54f2-x98r, GHSA-58qw-p7qm-5rvh, CVE-2022-25647, CVE-2007-1652, CVE-2022-2048, CVE-2009-5045, CVE-2017-7656, CVE-2017-7657, CVE-2017-7658, CVE-2017-9735, CVE-2022-2048, CVE-2020-27216, CVE-2023-44487, CVE-2023-40167, CVE-2023-36478, CVE-2023-36479, and CVE-2023-41900.

AnzoGraph 2.5.17

  • CVE-2023-30535: The Snowflake JDBC driver was updated to version 3.13.29 to remediate a possible command injection vulnerability.

AnzoGraph 2.5.15

  • CVE-2023-1370: The json-smart dependency for the frontend user interface was updated to remediate a possible stack overflow vulnerability.

AnzoGraph 2.5.14

  • CVE-2022-2191: The Eclipse Jetty dependency for the frontend user interface was updated to version 11.0.14 to remediate this vulnerability.

AnzoGraph 2.5.12

  • SONATYPE-2022-6438: The jackson-core and jackon-databind dependencies were updated to version 2.14.1 to remediate this vulnerability.
  • GHSA-h4h5-3hr4-j3g2: The com.google.protobuf and woodstox-core dependencies were updated to remediate this vulnerability.

AnzoGraph 2.5.11

  • CVE-2022-42889: The Apache Commons Text (commons-text) dependency was updated to remediate this vulnerability.
  • CVE-2022-42003 and CVE-2022-42004: The FasterXML jackson-databind dependencies were updated to remediate these vulnerabilities.
  • CVE-2022-41853: To mitigate this vulnerability, the HyperSQL DataBase driver was removed from the product.
  • CVE-2022-36944: The Scala library was updated to version 2.13.9 to remediate this vulnerability.
  • CVE-2020-15250: The JUnit dependency was updated to version 4.13.1 to remediate this vulnerability.

AnzoGraph 2.5.10

  • CVE-2015-6420: The Apache Commons Collections (ACC) library (commons-collections) dependency was updated to remediate this vulnerability.
  • CVE-2022-25168: The Apache Hadoop file utility (hadoop-common) dependency was updated to remediate this vulnerability.
  • CVE-2022-2309: The python2-lxml dependency was updated to remediate this vulnerability.

AnzoGraph 2.5.8

  • CVE-2022-31129: The moment JavaScript library dependency in the AnzoGraph user interface was upgraded to remediate this vulnerability.

AnzoGraph 2.5.7

  • CVE-2021-0341: The unused Java component OkHostnameVerifier.java was removed from the AnzoGraph user interface to remediate this vulnerability.

AnzoGraph 2.5.6

  • CVE-2020-8908: Updated the GDI Guava dependency to remediate a temp directory creation vulnerability.
  • CVE-2021-22573: Updated the GDI com.google.oauth-client:google-oauth-client dependency to version 1.33.3 to remediate a vulnerability where the IDToken verifier did not verify if a token was properly signed.
  • CVE-2022-24823: Updated the GDI Netty IO dependency to version 4.1.77.Final to remediate this vulnerability.

AnzoGraph 2.5.5

  • CVE-2020-36518: The jackson-databind dependency for AnzoGraph extensions and the frontend user interface was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.

AnzoGraph 2.5.4

  • CVE-2021-3807: The ansi-regex dependency in the frontend user interface was updated to remediate an Inefficient Regular Expression Complexity vulnerability.
  • CVE-2022-0778: The MySQL driver was updated to remediate a Denial of Service (DoS) vulnerability related to certificate parsing.
  • CVE-2022-29078: The Embedded JavaScript templates package for Node.js, which is used in the frontend user interface, was updated to remediate a vulnerability that could allow server-side template injection.

AnzoGraph 2.5.3

  • CVE-2022-24785: The Moment.js JavaScript date library frontend user interface dependency was updated to remediate a path traversal vulnerability.
  • CVE-2020-15366, CVE-2021-3757, CVE-2021-3918, CVE-2021-23807: The Another JSON Schema Validator (AJV), json-schema, jsonpointer, and immer frontend user interface dependencies were updated to remediate "prototype pollution" vulnerabilities.
  • CVE-2021-23364, CVE-2021-27290, and CVE-2021-23382: The package browserslist, ssri, and postcss frontend user interface dependencies were updated to remediate a Regular Expression Denial of Service (ReDoS) vulnerability.
  • CVE-2021-3803: The nth-check frontend user interface dependency was updated to remediate an Inefficient Regular Expression Complexity vulnerability.

AnzoGraph 2.5.2

  • CVE-2020-36518: The jackson-databind dependency in the GDI and Neptune and Geospatial extensions was updated to remediate a Java StackOverflow exception and Denial of Service (DoS) vulnerability.
  • CVE-2021-3807 and CVE-2021-44906: The ansi-regex and Minimist dependencies in the AnzoGraph frontend container were updated to remediate vulnerabilities.
  • CVE-2022-25315: The Expat library for Red Hat Enterprise Linux and CentOS 7 was updated to remediate the integer overflow flaw in libexpat.

AnzoGraph 2.5.1

Updated 2.5.1 Docker Images

The following Docker images were re-released to resolve the vulnerabilities listed below:

docker.io/cambridgesemantics/anzograph-frontend:latest
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912-b202202242300
docker.io/cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
docker.io/cambridgesemantics/anzograph-frontend:2.5.1
docker.io/cambridgesemantics/anzograph-db:latest
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-db:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-db:2.5.1
docker.io/cambridgesemantics/anzograph:latest
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph:2.5.1
docker.io/cambridgesemantics/anzograph-devel:latest
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817-b202202242300
docker.io/cambridgesemantics/anzograph-devel:2.5.1-r202202161817
docker.io/cambridgesemantics/anzograph-devel:2.5.1
  • CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
  • CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Released 2.5.1 Red Hat Marketplace Images

The following release of Red Hat Marketplace images resolve the vulnerabilities listed below:

cambridgesemantics/anzograph-frontend:2.5.1-i202202151912
cambridgesemantics/anzograph-db:2.5.1-r202202161817-b202202282115
cambridgesemantics/anzograph:2.5.1-r202202161817-b202202282115
  • CVE-2022-24407: The Cyrus SASL dependency was upgraded to remediate a flaw found in the SQL plugin.
  • CVE-2020-25709: The OpenLDAP dependency was upgraded to remediate a vulnerability that could allow an attacker to send a malicious packet to be processed by OpenLDAP’s slapd server.

Initial 2.5.1 Release of all Deployment Methods Except Red Hat Marketplace