CVEs

2024

• CVE-2024-21634 - This CVE report describes a potential denial-of-service issue existing in ion-java, which is a transitive dependency for our licensing-remote module since aws-java-sdk-cognitoidentity depends upon ion-java. However, we do not consider this to be critical, since the report states “Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust” as a workaround. As licensing-remote only works with our AWS infrastructure, it is a trusted source. So, we are not affected. In any case, starting from version 4.1.4 (you can get the -SNAPSHOT version right now) of licensing-remote, we’ve updated aws-java-sdk-kinesis to version 1.12.658 which addresses this issue.

2023

• CVE-2023-6299 - The CVE report is, as of this writing, wrong, as versions >=8.0.2 are not affected (7.2.4 and 7.1.16 were also affected, and addressed)

• CVE-2023-6298 - disputed (it's an ArrayIndexOutOfBoundsException). See this page for more details, and also regarding CVE-2022-24198.

2022

• CVE-2022-24198 - disputed (check the link for details, or see the page linked above)

• CVE-2022-24196 - addressed with 7.1.18 and 7.2.2

• CVE-2022-24197 - addressed with 7.1.18 and 7.2.2

2021

• CVE-2021-43113 - addressed with 7.1.17 and 5.5.13.3

iText dependencies:

2022

• CVE-2022-45688 - can be reported by OWASP Dependency Checker  for jackson-core-2.13.4.jar  however, we don't have a dependency on the vulnerable library (details)

• CVE-2022-45146 - FIPS-compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11 (and this module is only used for FIPS compliance)