January 24, 2023
Tomcat vulnerabilities CVE-2022-45143 and CVE-2022-42252 have been both reported but have been determined to not be risks with the FlexDeploy software.
CVE-2022-42242 - Apache Tomcat request smuggling
This only applies if rejectIllegalHeader is set to false. FlexDeploy leaves this value at the default of true so this vulernability is not a risk in FlexDeploy implementations.
CVE-2022-54143 -
This only applies if the class JsonErrorReportValue is used. FlexDeploy code does not use this class anywhere its code and as a result FlexDeploy is not at risk from this vulnerability.
PostGreSQL vulnerabilities:
FLEXDEPLOY-7172 - CVE-2022-41946 only affects large SQL statements and FlexDeploy does not generate any statements that large. Postgres JDBC driver will be upgraded in an upcoming release.
January 20, 2023
A Critical Patch Update was released on January 20, 2023, to address a vulnerability in the following versions:
6.0.0.0 through 6.0.0.3
5.7.0.0 through 5.7.0.11
5.6.0.0 through 5.6.0.6
5.5.0.0 through 5.5.0.6
5.4.0.0 through 5.4.0.5
5.3.0.0 through 5.3.0.5
This patch is available to download from our support site in the following versions. Flexagon strongly recommends applying one of the applicable patches as soon as possible, as the upgrade fixes the identified vulnerability in the previous versions.
6.0.0.4
5.7.0.12
5.6.0.7
5.5.0.7
5.4.0.6
5.3.0.6
You can upgrade to the latest version 6.0.0.4 from any of your existing versions, however, if you would like to avoid a major upgrade at this time, you must upgrade to at least a minor version based on your current version. For example, if you are on 5.7.0.x, then upgrade to 5.7.0.12.
Our upgrade guide can be found at FlexDeploy Upgrade Guide. If you need help or assistance upgrading, please contact support by opening a support ticket at http://support.flexagon.com or sending an email to support@flexagon.com
Flexagon takes the security of its products seriously. Flexagon’s support and development teams are gathering more information surrounding this vulnerability. Information on Flexagon’s Security Bulletin site will be updated continuously.
December 20, 2022
https://flexagon.atlassian.net/wiki/spaces/FD60/pages/9856626703/FlexDeploy+Release+Notes#FlexDeploy-6.0.0.3-(12-20-2022) addresses the following vulnerabilities:
FLEXDEPLOY-4545, FLEXDEPLOY-6614 - Upgraded Spring jars and reduce the number of Spring jars present in FlexDeploy application binaries. This addresses Spring4Shell vulnerability - CVE-2022-22965.
FLEXDEPLOY-6538 - Upgraded Apache Shiro libraries to address CVE-2022-40664.