CVEs
2023
CVE-2023-6299 - The CVE report is, as of this writing, wrong, as versions >=8.0.2 are not affected (7.2.4 and 7.1.16 were affected, and addressed)
CVE-2023-6298 - disputed (it's an ArrayIndexOutOfBoundsException). See this page for more details, and also regarding CVE-2022-24198.
2022
CVE-2022-24198 - disputed (check the link for details, or see the page linked above)
CVE-2022-24196 - addressed with 7.1.18 and 7.2.2
CVE-2022-24197 - addressed with 7.1.18 and 7.2.2
2021
CVE-2021-43113 - addressed with 7.1.17 and 5.5.13.3
iText dependencies:
2024
CVE-2024-47554 - This is a potential CVE (under analysis as of this writing) that affects one of our dependencies, Apache Commons IO. Versions >= 2.0 < 2.14.0. This is fixed with pdfOCR 4.0.0.
CVE-2024-34447/CVE-2024-30172/CVE-2024-30171/CVE-2024-29857 - These are CVEs that affect one of our dependencies, BouncyCastle < 1.78. Versions 8.0.4 and above, and version 7.2.7 and above, are not affected by this. In case you are using version 7.2.6, you can add the bouncy castle dependency 1.78 to your project, which will be used instead. There is also the case where our licensing libraries are affected (4.0.6), and the fix is the same.
Here’s a simple example of how to do it, if you’re using Maven (where the version needs to be at least 1.78 (1.78.1 was already available at the time of this writing)):
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpkix-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastle.version}</version>
</dependency>
CVE-2024-21634 - This CVE report describes a potential denial-of-service issue existing in
ion-java
, which is a transitive dependency for ourlicensing-remote
module sinceaws-java-sdk-cognitoidentity
depends uponion-java
. However, we do not consider this to be critical, since the report states “Do not load data which originated from an untrusted source or that could have been tampered with. Only load data you trust” as a workaround. Aslicensing-remote
only works with our AWS infrastructure, it is a trusted source. So, we are not affected. In any case, starting from version 4.1.4 oflicensing-remote
we’ve updatedaws-java-sdk-kinesis
to version 1.12.658 which addresses this issue.
2022
CVE-2022-45688 - can be reported by
OWASP Dependency Checker
forjackson-core-2.13.4.jar
however, we don't have a dependency on the vulnerable library (details)CVE-2022-45146 - FIPS-compliant users are unaffected because the FIPS certification is only for Java 7, 8, and 11 (and this module is only used for FIPS compliance)