Page History
Common Vulnerabilities and Exposures (CVE) is a list of common identifiers for publicly known cyber security vulnerabilities. A dependency checker is used on a daily base for all third party libraries present in our products.
This check results in a list of vulnerabilities. Either a vulnerability is valid and will be fixed as soon as possibe or it is a so called "false positive". Due to the way dependency checking works false positives may occur (i.e. a CPE was identified that is incorrect). For each false positive a description is added and comment why we think this is a false positive.
When a vulnerability is valid and a solution is provided we strive to fix this in the next patch. Only after the patch is released we disclose information regarding this vulnerability in the list below.
Known third party vulnerabilities
...
...
< 3.0.1
< 2.5.3
...
3.0.1
2.5.3
...
27.0.1-jre and google guice to 4.2.2
...
< 2.1.1
...
Fixed by upgrading to Spring Framework 4.3.16.
...
< 2.1.1
...
Fixed by upgrading to Spring Framework 4.3.16.
...
< 2.1.1
...
Fixed by upgrading to Spring Framework 4.3.16.
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
1.0.0
...
1.0.1
...
...
False positives
...
The vulnerability is incorrectly matched to the log4j-api dependency, while it only concerns the log4j-core library.
We updated the other log4j dependencies that we ship (log4j-api and log4j-to-slf4j) to version 2.15.0 anyway, to avoid any confusion.
For more information, see https://www.blueriq.com/en/insights/measures-concerning-log4shell.
...
"org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data."
Comment: The slf4j-ext library is affected, but the other slf4j libraries are not.
...
"REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords".
Comment: rest-client is a Ruby library and does not affect the Java library we use.
...
unirest-java-1.4.9.jar
"REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information".
...
Overview
Content Tools