Vulnerability Resolution Timeline

jdonovan · January 31, 2023, 9:35pm

Problem:
The following vulnerabilities have been detected by our scanners in the Foreman application:

Apache Tomcat 9.0.0-M1 < 9.0.68 Request Smuggling Vulnerability
Apache Commons Text 1.5.x < 1.10.0 Remote Code Execution
PostgreSQL JDBC Driver 42.2.x < 42.2.27 / 42.3.x < 42.3.8 / 42.4.x < 42.4.3 / 42.5.x < 42.5.1 Information Disclosure

Expected outcome:
The indicated software packages must be updated to the following versions to close detected vulnerabilities:

Apache Tomcat - 9.0.69
Apache Commons Text - 1.10.0
PostgreSQL JDBC Driver - 42.4.3

Is implementation of the above updates currently planned for a future release? If so, is there an expected timeline available for these updates?

gvde · February 1, 2023, 5:41am

What scanner? Did it actually tested for vulnerabilities or did it only find out the versions of the software? Do you know how RHEL-derivates work?

Requirements like these will not really work on a RHEL-derived system…

quba42 · February 1, 2023, 6:17am

Also, what version of Foreman on what OS platform version?

jdonovan · February 1, 2023, 3:28pm

@gvde Nessus, and it seems like it is only checking for the affected software versions.

I see what you mean, these packages seem to be sourced from RedHat, not bundled with Foreman. Bad information on my side.