FlexDeploy Security Bulletin

Did you know you can subscribe to updates to security issues and release notes? Right click and copy this link and paste it into Outlook RSS Feeds or your feed reader of choice.

 

December 17, 2024

FLEXDEPLOY-13712 - Apache Tomcat before 9.0.98 is affected by CVE-2024-54677 Apache Tomcat - DoS in examples web application and CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet. FlexDeploy does not ship the examples web application so CVE-2024-54677 does not apply. FlexDeploy does not ship the default servlet, so CVE-2024-50379 does not apply. Resolved these CVEs for vulnerability scanners in 8.0.0.9/9.0.0.1.

November 26, 2024

FLEXDEPLOY-13642 - The PowerBI plugin ships with a version of Bouncy Castle that is vulnerable to CVE-2024-29857 and CVE-2024-34447. This will be addressed in a FlexDeploy 9.0.0.1.

FLEXDEPLOY-13643 - The version of Spring-Core that ships with FlexDeploy is vulnerable to CVE-2024-38820. This vulnerability is likely not relevant to FlexDeploy in operation, but it will be address in a future FlexDeploy version.

November 14, 2024

FLEXDEPLOY-13546 - False Positive - A security scanner indicated that nimbus-jose-jwt 9.37.2 was vulnerable to CVE-2023-52428. This was a false positive. It is possible that your scanner may find the same result, but it is incorrect. 9.37.2 was the version that had the fix for this CVE.

FLEXDEPLOY-13547 - FlexDeploy ships with a version of commons-io that is vulnerable to https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47554. This is addressed in FlexDeploy 9.0.0.2.

October 21, 2024

FLEXDEPLOY-13177 - In versions 6.5.0.0-6.5.0.20, 7.0.0.0-7.0.0.11 and 8.0.0.0-8.0.0.6, password hashes were visible in a GraphQL query. Upgrading to 6.5.0.21, 7.0.0.12 or 8.0.0.7 is recommended.

September 27,2024

FLEXDEPLOY-12743 - The version of Guava shipped with the Jenkins plugin is vulnerable to CVE-2023-2976. This is resolved in plugin version 8.0.0.7 and 9.0.0.0. The plugin now requires Java 8.

September 17, 2024

FLEXDEPLOY-12828 - Internal testing found that XXE injection was possible in the FlexDeploy application as well as the HPTest, Junit, Oats, ApexSec, ODB, Soapui, and TestNG plugins. The FlexDeploy application was patched for version 9.0.0.0. The plugins were patched in version 8.0.0.6 and 9.0.0.0.

August 23, 2024

FLEXDEPLOY-12739 - The version of Jackson Databind in the Automation Anywhere, JUnit, Oracle Apex Sec, and Tricentis Tosca plugins is vulnerable to CVE-2022-42004 and
CVE-2022-42003. Version 8.0.0.5 updates this version resolving these vulnerabilities.

FLEXDEPLOY-12747 - CVE-2024-40094 - GraphQL Java before 21.5 does not properly consider ExecutableNormalizedFields (ENFs) as part of preventing denial of service via introspection queries. This was resolved in 8.0.0.6 / 9.0.0.0.

FLEXDEPLOY-12748 - CVE-2024-34750 - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat 9 through 9.0.89. FlexDeploy does not ship with HTTP/2 turned on, so it doesn’t affect most installations. This was resolved in 8.0.0.6 / 9.0.0.0.

May 22,2014

FLEXDEPLOY-12343 - The version of Jackson Databind that ships with The EBS plugin in versions 8.0.0.0 and 8.0.0.1 has several vulnerabilities. Version 8.0.0.2 updates this version resolving those CVEs.

April 15, 2024

FLEXDEPLOY-12039 - The versions of Bouncy Castle that ship with FlexDeploy and its plugins are vulnerable to

  • CVE-2024-29857 - Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation.

  • CVE-2024-30171 - Possible timing based leakage in RSA based handshakes due to exception processing eliminated.

  • CVE-2024-30172 - Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code.

  • CVE-2024-301XX - When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed.

These issues likely do not affect customers in any way based on the way Bouncy Castle is used in FlexDeploy, but a future release will contain updated versions.

FLEXDEPLOY-12040 - The versions of Joda Time that ship with FlexDeploy and the AWS, Anchore, Dependency Check, Docker, and EC2 plugins is vulnerable to CVE-2024-23080. This vulnerability is that a NPE can be thrown if a bad argument is passed. This case shouldn’t be possible to hit from FlexDeploy, and if hit, it would be handled, so this issue is considered to be minor. The CVE is disputed by the package maintainers, and likely not relevant. The 9.0.0.0 version of FlexDeploy has a newer version of joda time, but this is likely irrelevant as the package maintainers are not attempting to address the issue.

March 15, 2024

FLEXDEPLOY-11432 - A path traversal vulnerability was discovered in FlexDeploy that affected versions 6.0.0.0-6.0.0.9, 6.5.0.0-6.5.0.15,7.0.0.0-7.0.0.3. This vulnerability is patched in versions 6.0.0.10, 6.5.0.16, 7.0.0.4, and 8.0.0.0. Upgrading to one of those versions is recommended.

March 13, 2024

FLEXDEPLOY-11605 - The versions of Apache Tomcat that ships with FlexDeploy are vulnerable to CVE-2024-24549 and CVE-2024-23672. CVE-2024-24549 is regarding HTTP/2, which Flexagon has not recommended, so no customers should be affected. CVE-2024-23672 is in regards to WebSockets, which FlexDeploy does not use. This vulnerability is patched in version 8.0.0.0.

February 29, 2024

FLEXDEPLOY-11369 - The version of oauth2-oidc-sdk that ships with FlexDeploy is vulnerable to an XXE attach identified by SNYK as SNYK-JAVA-COMNIMBUSDS-1243767. This jar will be updated in 8.0.0.0.

FLEXDEPLOY-11371 - The version of nimbus-jose-jwt that ships with FlexDeploy is vulnerable to SNYK-JAVA-COMNIMBUSDS-6247633. This jar will be updated in 9.0.0.0.

February 27, 2024

FLEXDEPLOY-11330 - The Postgres JDBC driver that ships in the FlexDeploy zip is vulnerable to CVE-2024-1597. This vulnerability requires conditions that are not met by FlexDeploy, so FlexDeploy is not affected. This jar was updated in 8.0.0.0.

FLEXDEPLOY-11327 - Jackson-databind through 2.15.2 is affected by CVE-2023-35116 and allows attackers to cause a denial of service or other unspecified impact via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a valid vulnerability report, because the steps of constructing a cyclic data structure and trying to serialize it cannot be achieved by an external attacker. A newer version will be included in FlexDeploy 8.0.0.0 and in the 7.0.0.4 plugins that use Java 8.

FLEXDEPLOY-11326 - Commons Compress versions that are vulnerable to CVE-2024-26308 and CVE-2024-25710 are included in FlexDeploy and may FlexDeploy plugins. Version 8.0.0.0 and plugins in 7.0.0.4 will be upgraded to resolve this vulnerabilities.

FLEXDEPLOY-11325 - The version on TestNG that is bundled in the groovy plugin is vulnerable to CVE-2022-4065. This is remedied in 7.0.0.4 and 8.0.0.0.

January 19,2024

The versions of Tomcat that shipped with older FlexDeploy versions earlier than 5.7 are affected by CVE-2023-21733. Update FlexDeploy to a newer version such as 6.5.0.14 or 7.0.0.2 if this affects you.

January 16, 2024

FLEXDEPLOY-10913 - The version of Amazon Ion that ships with the AWS, Docker, and EC2 plugins is vulnerable to CVE-2024-21634. Since the only source that is targeted with those plugins is Amazon’s trusted apis, the vulnerability does not affect FlexDeploy. This warning was resolved in 7.0.0.3.

January 10,2024

FLEXDEPLOY-10895 - FlexDeploy ships with a version of json-smart that is vulnerable to CVE-2023-1370. This was resolved in 6.0.0.10, 6.5.0.15, 7.0.0.3.

FLEXDEPLOY-10898 - FlexDeploy ships with a version of junit that is vulnerable to CVE-2020-15250. This was resolved in 8.0.0.0.

January 9, 2024

FlexDeploy-10879 - The version of SSHJ that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. This was resolved in 7.0.0.2.

January 8, 2024

FlexDeploy-10871 - The version of Apache Mina SSHD that FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. This is addressed in FlexDeploy Version 9.0.0.2.

FlexDeploy-10872 - The version of Trilead SSH2 that ships with SVNKit FlexDeploy uses is vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-48795. SVNKit plans to modify their dependencies in a future release, but it isn’t available yet. This will be addressed in a future FlexDeploy Version.

FlexDeploy-10873 - Json-path is vulnerable to stack overflow exceptions if improper input is parsed. https://nvd.nist.gov/vuln/detail/CVE-2023-51074 is assigned to this issue. This was fixed in 7.0.0.3.

January 5, 2024

FLEXDEPLOY-10845 - Prevent a potential authentication bypass issue on REST calls. The calls were still authorized, but some REST calls allowed non-secured data to be read without authentication in certain cases.
Affects versions 6.0 < 6.0.0.10, 6.5 < 6.5.0.14, 7.0 < 7.0.0.2. This is fixed in versions 6.0.0.10, 6.5.0.14, 7.0.0.2, and 8.0.0.0. Versions < 6.0 are not affected.

January 4, 2024

FLEXDEPLOY-10814 FlexDeploy ships with a version of Shiro vulnerable to CVE-2023-46570. This was resolved in 7.0.0.3.

FLEXDEPLOY-10839 FlexDeploy ships with a version of xmlsec vulnerable to https://nvd.nist.gov/vuln/detail/CVE-2023-44483. This was resolved in 7.0.0.3.

January 2, 2024

FLEXDEPLOY-10826 FlexDeploy ships with JSON JAVA (org.json) that is vulnerable to CVE-2023-5072, https://github.com/advisories/GHSA-4jq9-2xhw-jpx7 , and CVE-2022-45688. This was resolved in 7.0.0.2.

December 11, 2023

FLEXDEPLOY-10663 (FlexDeploy) and FLEXDEPLOY-10715 (HTTPS Agent) The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-46589. Tomcat was upgraded to version 9.0.83+. The HTTPS agent is updated as of 7.0.0.1/8.0.0.0. FlexDeploy is updated in 7.0.0.2, 6.5.0.14, and 8.0.0.0.

December 4, 2023

The version of logback that is included with the dependency-check plugin is vulnerable to CVE-2023-6378. Dependency Check doesn’t currently have a version that is not vulnerable available. This will be updated in a future plugin version.

FLEXDEPLOY-7790 The version of cucumber-core that ships with the cucumber plugin includes several outdated JavaScript libraries that are vulnerable to CVE-2022-31129, CVE-2017-18214, CVE-2022-24785, and CVE-2023-22467. This was resolved in 8.0.0.0.

FLEXDEPLOY-10658 The version of Gradle shipped with the Gradle plugin is vulnerable to CVE-2023-42445 and CVE-2023-44387. Resolved in 7.0.0.2.

November 1, 2023

FLEXDEPLOY-10386 The version of dom4j included in the Jenkins plugin is vulnerable to CVE-2023-45960. Resolved in 7.0.0.3.

The version of Selenium in the FSM plugin may flag as vulnerable to CVE-2023-5590. However the plugin does not ship with the IE Driver, so it is not vulnerable.

FLEXDEPLOY-10004 The version of Netty in the FSM plugin is vulnerable to CVE-2023-4586. This is resolved in version 7.0.0.0.

FLEXDEPLOY-10387 The version of gprc that ships with the Docker Plugin is vulnerable to CVE-2023-44487. This could make it easier to attack a server, but shouldn’t cause a problem for the plugin. This will be updated in a future plugin version.

October 16, 2023

The version of Java-JSON that ships in many plugins is vulnerable to CVE-2023-5072. This is resolved in version 7.0.0.0 for the plugins that require Java 8. The CVE-2023-5072 patch requires Java 8, so plugins that are compatible with Java 6 or 7 will remain vulnerable.

The version of Tomcat that FlexDeploy and the FlexDeploy HTTPS agent ship with is vulnerable to CVE-2023-45648, CVE-2023-44487, CVE-2023-42795, CVE-2023-42794, and CVE-2023-41080. CVE-2023-41080 is not applicable because the root application doesn’t ship with FlexDeploy. The other vulnerabilities likely do affect FlexDeploy depending on the configuration in your server.xml. Tomcat was upgraded to version 9.0.81+. Resolved in 7.0.0.0, 6.5.0.14.

FlexDeploy has recommended the HTTP/1.1 protocol in the past e.g. Enabling HTTPS on FlexDeploy (Tomcat), so unless you have selected HTTP/2 in your server.xml, CVE-2023-44487 does not apply. Check your server.xml to see what you have active. Using vim will color-code the connectors so that you can easily see which connectors are active. If they are set to HTTP/2, you can switch them to HTTP/1.1 to mitigate the Rapid Reset issue.

October 10, 2023

FLEXDEPLOY-7790 The version of Jquery that ships in the cucumber plugin is vulnerable to CVE-2020-23064. This is resolved in version 8.0.0.0.

October 9, 2023

FLEXDEPLOY-9935 The versions of JGit that ships with FlexDeploy and the FlexDeploy git plugin is vulnerable to CVE-2023-4759. FlexDeploy only uses JGit to parse urls. Command-line git is used for actual git operations, so it is not affected.

FLEXDEPLOY-9934 The version of netty that ships with the OracleSaasFSM plugin is vulnerable to CVE-2023-34462. This is resolved in version 7.0.0.0.

FLEXDEPLOY-9934 The version of jQuery that ships with the Groovy plugin is vulnerable to CVE-2020-23064. This is resolved in version 7.0.0.0.

FLEXDEPLOY-9934 The version of Maven that was the default version installed with some plugins is vulnerable to CVE-2022-4244 and CVE-2022-4245. This is resolved in version 7.0.0.0.

September 11, 2023

The version of Guava that ships with FlexDeploy is updated in 6.5.0.9+, 7.0.0.0. Additionally some other jar versions are updated as well. The eliminates CVE-2018-10237 from the FlexDeploy application.

FLEXDEPLOY-9598 The version of grpc-context in the docker plugin is vulnerable to CVE-2023-33953 and CVE-2023-32732. A new plugin version will be released when Google creates a version of it’s jars that uses a newer version of this dependency.

August 15, 2023

FLEXDEPLOY-9384 - The version of apigee-deploy-maven-plugin that is referenced in the pom.xml that is used by the apigee plugin deploy operation downloads and references old versions of log4j. These versions are vulnerable to a number of CVEs, CVE-2022-23307, CVE-2022-23305, CVE-2022-23302, CVE-2021-4104, and CVE-2019-17571 although it is unclear whether their usage in this case is likely to lead to an incident. This was remedied in later versions of the apigee-deploy-maven-plugin. FlexDeploy released the plugin with an updated pom as versions 5.7.0.15, 6.0.0.9, 6.5.0.8, and 7.0.0.0. However, the version chosen was incorrect, and resulted in a regression. The correct revision was selected in a later plugin version created for 7.0.0.0, 6.5.0.10, 6.0.0.9, 5.7.0.15.

August 7, 2023

CVE-2023-39017 is currently showing up a vulnerability in Quartz 2.3.2 when scanning with dependency-check. In our research we have found that it actually only affects Quartz Jobs 2.3.2, not Quartz. Neither FlexDeploy not FlexDeploy plugins contain the quartz jobs jar. Therefore FlexDeploy is not vulnerable. You can read more here: https://github.com/quartz-scheduler/quartz/issues/943

July 31, 2023

FLEXDEPLOY-9278 - The version of Shiro that ships with FlexDeploy is vulnerable to CVE-2023-34478. This CVE is rated as CRITICAL (9.8) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. This is fixed in FlexDeploy 5.7.0.14, 6.0.0.8, and 6.5.0.7.

July 17, 2023

FLEXDEPLOY-9155 - The version of gradle that ships with the gradle plugin is vulnerable to CVE-2023-35947 and CVE-2023-35946 and CVE-2023-26053 and CVE-2022-23630 and CVE-2022-31156. A new plugin version will be released because CVE-2023-26053 is considered to be a critical vulnerability to Gradle. Resolved in 5.7.0.14, 6.0.0.8, 6.5.0.6+.

July 13, 2023

FLEXDEPLOY-9152 - The version of Bouncy Castle that ships with FlexagonAcunetixPlugin, FlexagonCheckmarxPlugin, FlexagonDockerPlugin, FlexagonJenkinsPlugin, FlexagonOracleCPQPlugin, FlexagonOWASPDependencyCheckPlugin, FlexagonPMDPlugin, FlexDeployArtifactoryXrayPlugin, FlexDeployOpenShiftPlugin, FlexDeployOracleAPIGatewayPlugin, FlexDeploySiebelPlugin is affected by CVE-2023-33201. This vulnerability wouldn’t be possible to hit from these plugins, but the dependency will be upgraded for the 7.0+ versions of these plugins. CVE-2023-33201 is an LDAP related issue, which doesn’t affect these plugins. Even after Flexagon updates its dependencies, the OWASP plugin will contain a version that will still report the vulnerability to an OWASP scan. Resolved in 7.0.0.0

FLEXDEPLOY-9153 - The version of Guava that ships with the FlexagonAzurePlugin, FlexagonJenkinsPlugin, FlexagonOCIPlugin, FlexagonOracleSaaSFSMPlugin, FlexDeployOracleAPIGatewayPlugin, FlexDeploySiebelPlugin are affected by CVE 2023-2976. This vulnerability is not thought to affect these plugins, but the dependency will be upgraded in the future. This was resolved for all but the Jenkins plugin in version 8.0.0.0 or earlier. The Jenkins plugin version was updated in 9.0.0.0.

FLEXDEPLOY-9154 - The version of Jackson Databind that ships with FlexagonAWSPlugin, FlexagonDockerPlugin, FlexagonEC2Plugin, FlexagonJenkinsPlugin is affected by CVE-2017-17485, CVE-2018-11307, and CVE-2023-35116. Because these are running on the plugin instead of the server, the risk is low, but the dependency was upgraded in 7.0.0.0.

FLEXDEPLOY-9155 - The version of gradle that ships with the gradle plugin is vulnerable to CVE-2023-35947 and CVE-2023-35946. A new plugin version will be released. Resolved in 5.7.0.14, 6.0.0.8, 6.5.0.6+.

June 5, 2023

FLEXDEPLOY-8898 - The HTTPS Agent is affected by CVE-2022-45688. Protect your HTTPS agents within your corporate firewalls. Resolved in 6.5.0.5+

May 26, 2023

Server

FLEXDEPLOY-8802 - Tomcat version 9.5.0.73 is vulnerable to CVE-2023-28709. This vulnerability does not affect vanilla installations of FlexDeploy. Resolved in 6.0.0.8 and 6.5.0.5+.

FLEXDEPLOY-8808 - The version of Spring that ships with FlexDeploy is vulnerable to CVE-2023-20860 and CVE-2023-20863. FlexDeploy does not use "**" as a pattern in Spring Security configuration with the mvcRequestMatcher, so it is not vulnerable to 20860. Resolved in 6.5.0.5+.

Plugins

FLEXDEPLOY-8803 - The version of jQuery that ships with the utPLSQL plugin is vulnerable to CVE-2020-7656. Resolved in 8.0.0.0

FLEXDEPLOY-8806 - The version of MySqlConnector that ships with the PeopleSoft plugin is vulnerable to CVE-2022-21363, CVE-2019-2692, CVE-2021-2471, CVE-2020-2934, and CVE-2020-2875. Resolved in 6.5.0.4+.

FLEXDEPLOY-8807 - The version of SpringTest that ships with the AWS plugin is vulnerable to CVE-2023-20861. Resolved in 6.5.0.5+

April 23, 2023

FLEXDEPLOY-8807 - The version of Spring core that ships with the EC2 and AWS plugin is vulnerable to CVE-2023-20861. Resolved in 6.5.0.5+.

March 20, 2023

FLEXDEPLOY-7883 - The version of json-smart that ships with the ServiceNow and XPath plugins is vulnerable to CVE-2023-1370. Resolved in 7.0.0.0.

March 10, 2023

FLEXDEPLOY-7798 - The version of Jackson-dataformat-cbor that is shipped with the AWS plugin is vulnerable to CVE-2020-28491. Resolved in 7.0.0.0.

FLEXDEPLOY-7800 - The version of jackson-mapper that ships with the Siebel, Salesforce, ApexSec, OracleForms, Cucumber, EBS, OBIESS, Junit, TricentisTosca, and AutomationAnywhere plugins is vulnerable to CVE-2019-10172. New plugin versions will be released.

FLEXDEPLOY-7799 - The version of jQuery that is included in the utplsql plugin is vulnerable to CVEs CVE-2012-6708, CVE-2015-9251, CVE-2019-11358, and CVE-2011-4969. Resolved in 8.0.0.0.

FLEXDEPLOY-7764 - The version of jsch that is shipped with the Git plugin is vulnerable to CVE-2016-5725. Resolved in 7.0.0.0.

FLEXDEPLOY-7801 - The version of json-smart that is shipped with the ServiceNow and XPath plugins is vulnerable to CVEs CVE-2021-27568 and CVE-2021-31684. Resolved in 7.0.0.0.

FLEXDEPLOY-7802 - The versions of junit shipped in the Docker, TestNG, Cucumber, and Junit plugins are vulnerable to CVE-2020-15250. Resolved in 7.0.0.0.

FLEXDEPLOY-7762 - The version of logback that ships with the Docker plugin is vulnerable to CVE-2021-42550. Resolved in 7.0.0.0.

FLEXDEPLOY-7761 - The versions of Netty that are shipped with the Docker and SaasFSM plugins are vulnerable to CVEs. Resolved in 7.0.0.0.

March 9, 2023

FLEXDEPLOY-7783 - The version of Ant that ships with the Ant, Tomcat, and Junit plugin are vulnerable to CVEs CVE-2021-36374, CVE-2021-36373, and CVE-2020-1945. Flexagon will release a new version of the plugins. In the meantime, remediation of those vulnerabilities is to control the inputs to the plugin to only your own code. Resolved in 7.0.0.0.

FLEXDEPLOY-7757 - The version of AWS-SDK that is shipped with the Docker and AWS plugins are vulnerable to CVE-2022-31159. Because FlexDeploy performs work in a temp folder location, this CVE does not require remediation. Resolved in 7.0.0.0.

FLEXDEPLOY-7759- The TestNG plugin ships with a version of TestNG that is vulnerable to CVE-2022-4065. Resolved in 7.0.0.0.

FLEXDEPLOY-7757 - The AWS plugin ships with Spring jars that are vulnerable to a number of CVEs. The plugin is not run as a webserver, which remediates them, but a new version of the plugin will be released. Resolved in 7.0.0.0.

FLEXDEPLOY-7788 - The Jenkins plugin ships with a dom4j jar that is vulnerable to CVEs CVE-2020-10683 and CVE-2018-1000632. Resolved in 7.0.0.3 and 8.0.0.0.

FLEXDEPLOY-7793 - The several plugins ship with a version of common-beanutils is that vulnerable to CVE-2014-0114. The plugins were patched for in version 6.5.0.6+.

FLEXDEPLOY-7789 - The Gradle plugin ships with a version of Gradle that is vulnerable to CVEs CVE-2021-29428, CVE-2020-11979, CVE-2021-32751, CVE-2021-29427, CVE-2019-16370, and CVE-2021-29429. Resolved in 7.0.0.0.

FLEXDEPLOY-7758 - The Docker plugin ships with a version of commons-compress that is vulnerable to CVE-2019-12402. Resolved in 7.0.0.0.

FLEXDEPLOY-7790 - The cucumber plugin ships with a version of jQuery that is vulnerable to CVEs CVE-2020-11022 and CVE-2020-11023. Resolved in 8.0.0.0.

FLEXDEPLOY-7792 - The versions of bouncy castle shipped with the FlexagonPeopleSoftPlugin, FlexDeployOpenShiftPlugin, FlexDeployArtifactoryXrayPlugin, FlexagonOracleCPQPlugin, FlexagonPMDPlugin, FlexDeploySiebelPlugin, FlexagonCheckmarxPlugin, FlexagonOWASPDependencyCheckPlugin, FlexagonAcunetixPlugin, FlexagonJenkinsPlugin, and FlexagonDockerPlugin are vulnerable to CVEs CVE-2020-26939, CVE-2020-15522, CVE-2020-0187, CVE-2016-1000338, CVE-2016-1000342, CVE-2016-1000343, CVE-2016-1000344, CVE-2016-1000352, CVE-2016-1000341, CVE-2016-1000345, CVE-2017-13098, CVE-2020-15522, CVE-2015-7940, CVE-2018-5382, CVE-2013-1624, CVE-2016-1000346, and CVE-2016-1000339. The 7.0+ versions of these plugins will contain newer bouncy castle jars.

FLEXDEPLOY-7793 - A version of common-beanutils that is vulnerable to CVE-2019-10086 is shipped with the following plugins: FlexDeployArtifactoryXrayPlugin, FlexDeployAutomationAnywherePlugin, FlexDeployCucumberPlugin, FlexDeployOCCPlugin, FlexDeployOpenShiftPlugin, FlexDeploySODAPlugin, FlexDeployTricentisToscaPlugin, FlexagonADFPlugin, FlexagonAnchorePlugin, FlexagonApexSecPlugin, FlexagonApigeePlugin, FlexagonArtifactoryPlugin, FlexagonAzurePlugin, FlexagonB2BPlugin, FlexagonCVSPlugin, FlexagonCheckmarxPlugin, FlexagonDBCloudPlugin, FlexagonDellBoomiPlugin, FlexagonDockerBenchPlugin, FlexagonEBSPlugin, FlexagonEC2Plugin, FlexagonFilePlugin, FlexagonGITPlugin, FlexagonGlassFishPlugin, FlexagonGradlePlugin, FlexagonGroovyPlugin, FlexagonGruntPlugin, FlexagonHPTestPlugin, FlexagonHelmPlugin, FlexagonIaaSPlugin, FlexagonInformaticaPlugin, FlexagonJCSPlugin, FlexagonJDBCPlugin, FlexagonJMeterPlugin, FlexagonJUnitPlugin, FlexagonJenkinsPlugin, FlexagonJythonPlugin, FlexagonKubernetesPlugin, FlexagonMDSPlugin, FlexagonMFTPlugin, FlexagonMSBuildPlugin, FlexagonMavenPlugin, FlexagonMicrosoftTeamsPlugin, FlexagonMulePlugin, FlexagonNexusPlugin, FlexagonNodePlugin, FlexagonOACPlugin, FlexagonOATSPlugin, FlexagonOBIEEPlugin, FlexagonODIPlugin, FlexagonORDSPlugin, FlexagonOSBPlugin, FlexagonOTBIPlugin, FlexagonOWASPDependencyCheckPlugin, FlexagonOracleAPEXPlugin, FlexagonOracleAPIPlatformPlugin, FlexagonOracleDBPlugin, FlexagonOracleFormsPlugin, FlexagonPMDPlugin, FlexagonPVCSPlugin, FlexagonPeopleSoftPlugin, FlexagonPostmanPlugin, FlexagonPythonPlugin, FlexagonRestPlugin, FlexagonSAPPlugin, FlexagonSOACloudPlugin, FlexagonSOAPlugin, FlexagonServiceNowPlugin, FlexagonShellPlugin, FlexagonSlackPlugin, FlexagonSoapUIPlugin, FlexagonSonarQubePlugin, FlexagonSurroundPlugin, FlexagonTestNGPlugin, FlexagonTomcatPlugin, FlexagonUTPLSQLPlugin, FlexagonWebMethodsPlugin, FlexagonWeblogicPlugin, FlexagonWindowShellPlugin, FlexagonXPathPlugin. Resolved in version 6.5.0.6+.

The dependency-check plugin contains a version of H2 database that is vulnerable to CVE-2018-14335. No version is available that is patched for this issue. This issue would require the attacker to have local disk access to the server, so it is not considered serious.

FLEXDEPLOY-7795 - The EC2, AWS, Jenkins, and Docker plugin ship with versions of Jackson-databind that are vulnerable to CVES CVE-2018-7489, CVE-2017-7525, CVE-2020-10650, CVE-2020-35490, CVE-2020-35491, CVE-2020-36518, CVE-2022-42003, CVE-2022-42004, CVE-2018-1000873, CVE-2019-14379, CVE-2019-14540, CVE-2019-14892, CVE-2019-14893, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943, CVE-2019-17267, CVE-2019-17531, CVE-2019-20330, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2021-20190, CVE-2019-12086, CVE-2019-14439, CVE-2020-25649 , CVE-2019-12384, and CVE-2019-12814. New versions of the plugins will be released.

March 8, 2023

FLEXDEPLOY-5761 - CVE-2021-44878 - If an OpenID Connect provider supports the "none" algorithm (i.e., tokens with no signature), pac4j v5.3.0 (and prior) does not refuse it without an explicit configuration on its side or for the "idtoken" response type which is not secure and violates the OpenID Core Specification. The "none" algorithm does not require any signature verification when validating the ID tokens, which allows the attacker to bypass the token validation by injecting a malformed ID token using "none" as the value of "alg" key in the header with an empty signature value. All versions of FlexDeploy ship with an affected version of pac4j. The remediation for this issue is to not connect FlexDeploy to an insecure provider. No standard providers support the “none” algorithm.

FLEXDEPLOY-7773 - CVE-2020-8908 - guava - Creation of Temporary File in Directory with Insecure Permissions. All versions of FlexDeploy and some plugins ship with Guava. None of them call Guava methods to create a temporary file. No remediation is necessary.

FLEXDEPLOY-7773 - CVE-2018-10237 - Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable. Don’t expose FlexDeploy to untrusted access. Flexagon updated the version of guava shipped in version 7.0.0.0. The Docker, Seibel, and Jenkins plugins also contain guava jars that are vulnerable.

FLEXDEPLOY-7756 - The version of Maven that shipped with the FlexDeploy Maven, Apigee, and Mule plugins is vulnerable to CVEs CVE-2022-36033, CVE-2021-37714, CVE-2022-29599, CVE-2021-26291, CVE-2014-3577, CVE-2020-13956, and CVE-2015-5262. Flexagon will update the version of Maven that is shipped with those plugins. In the meantime, remediation of those vulnerabilities is possible by specifying a different version of Maven to be installed. Resolved in 7.0.0.0.

FLEXDEPLOY-7758 - The versions of commons-compress that ships with many plugins is vulnerable to CVEs CVE-2021-35515, CVE-2021-35516, CVE-2021-35517, CVE-2021-36090, Some are also vulnerable to CVE-2018-11771 and CVE-2018-1324. Flexagon will release new versions of those plugins. In the mean time, only decompress files that you trust. Partially resolved in 7.0.0.0. - Note that some of these CVEs will still be left in some plugins due to the Java versions that they are remaining compatible with.

FLEXDEPLOY-7760 - The version of SnakeYaml that is shipped with the Kubernetes and Helm plugins is vulnerable to CVEs CVE-2017-18640, CVE-2022-25857, CVE-2022-38749, CVE-2022-38751, CVE-2022-38752, CVE-2022-41854, CVE-2022-38750. Partially resolved in 7.0.0.0. We upgraded to 1.33, not to 2.0 of SnakeYaml. This resolves most of the CVEs.

March 7, 2023

FLEXDEPLOY-7173 - Tomcat 9.0.0-M1 to 9.0.70 is affected by CVE-2023-24998. This would affect FlexDeploy versions 5.4.0.0 - 6.5.0.2. This results in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Resolved in 6.0.0.7 and 6.5.0.3+.

March 6, 2023

FLEXDEPLOY-7748 - SVNKit reports that it is not affected by CVE-2022-45047 as it doesn’t use Apache SSHD library to load or save private key - key data is loaded externally. Nevertheless, SVNKit 1.10.11 will include newer version of Apache SSHD library (2.9.2) with that vulnerability fixed. FlexDeploy upgraded to that version in 8.0.0.0.

February 27, 2023

Snake YAML vulnerability CVE-2022-1471 does not affect FlexDeploy due to our constructor usage.

SVNKit ships with a version of Apache SSHD that may be affected by CVE-2022-45047. Flexagon is in communication with TMateSoft to determine if they are upgrading to a newer version, or if they consider the issue to not be concerning due to their usage. However, FlexDeploy was updated in 8.0.0.0.

FLEXDEPLOY-7681 - The version of GraphQL that ships with FlexDeploy is vulnerable to CVE-2022-37734. Resolved in 7.0.0.0

February 23, 2023

FLEXDEPLOY-7173 - Tomcat vulnerability CVE-2022-34305 affects most Tomcat versions that FlexDeploy runs on. However, FlexDeploy does not ship the example applications, so it is not vulnerable to this medium severity CVE. Resolved in 6.0.0.7 and 6.5.0.3+.

January 24, 2023

FLEXDEPLOY-7173 - Tomcat vulnerabilities CVE-2022-45143 and CVE-2022-42252 have been both reported but have been determined to not be risks with the FlexDeploy software. Resolved in 6.0.0.7 and 6.5.0.3+.

FLEXDEPLOY-7173 - CVE-2022-42242 - Apache Tomcat request smuggling. This only applies if rejectIllegalHeader is set to false.  FlexDeploy leaves this value at the default of true so this vulernability is not a risk in FlexDeploy implementations. Resolved in 6.0.0.7 and 6.5.0.3+.

CVE-2022-54143 - This only applies if the class JsonErrorReportValue is used.  FlexDeploy code does not use this class anywhere its code and as a result FlexDeploy is not at risk from this vulnerability.

PostgreSQL vulnerabilities:

  • FLEXDEPLOY-7172 - CVE-2022-41946 only affects large SQL statements and FlexDeploy does not generate any statements that large. PostgreSQL JDBC driver will be upgraded in an upcoming release. Resolved in 6.0.0.5 and 6.5.0.1+.

January 20, 2023    

A Critical Patch Update was released on January 20, 2023, to address a vulnerability in the following versions: 

  • 6.0.0.0 through 6.0.0.3

  • 5.7.0.0 through 5.7.0.11 

  • 5.6.0.0 through 5.6.0.6

  • 5.5.0.0 through 5.5.0.6

  • 5.4.0.0 through 5.4.0.5

  • 5.3.0.0 through 5.3.0.5    

This patch is available to download from our support site in the following versions.  Flexagon strongly recommends applying one of the applicable patches as soon as possible, as the upgrade fixes the identified vulnerability in the previous versions. 

  • 6.5.0.0

  • 6.0.0.4  

  • 5.7.0.12  

  • 5.6.0.7  

  • 5.5.0.7

  • 5.4.0.6  

  • 5.3.0.6  

You can upgrade to the latest version 6.0.0.4 from any of your existing versions, however, if you would like to avoid a major upgrade at this time, you must upgrade to at least a minor version based on your current version. For example, if you are on 5.7.0.x, then upgrade to 5.7.0.12.  

Our upgrade guide can be found at FlexDeploy Upgrade Guide. If you need help or assistance upgrading, please contact support by opening a support ticket at http://support.flexagon.com or sending an email to support@flexagon.com  

Flexagon takes the security of its products seriously. Flexagon’s support and development teams are gathering more information surrounding this vulnerability. Information on Flexagon’s Security Bulletin site will be updated continuously.  

December 20, 2022 

FlexDeploy 6.0 Release Notes | FlexDeploy 6.0.0.3 (12 20 2022) addresses the following vulnerabilities:

  • FLEXDEPLOY-4545, FLEXDEPLOY-6614 - Upgraded Spring jars and reduce the number of Spring jars present in FlexDeploy application binaries. This addresses Spring4Shell vulnerability - CVE-2022-22965. Resolved in 6.0.0.3 and 6.5.0.0+.

  • FLEXDEPLOY-6538 - Upgraded Apache Shiro libraries to address CVE-2022-40664. Resolved in 6.0.0.3 and 6.5.0.0+.

The following macros are not currently supported in the footer:
  • style