Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    SmartClient 12.1 bundles Apache compress jar(commons-compress-1.20.jar) which is vulnerable.

    Hi Team,

    We are using SmartClient 12.1 which bundles Apache compress jar(commons-compress-1.20.jar) in it and it is vulnerable to below mentioned cve's.
    In which version of smart client, we are remediating it? please let us know, so that we upgrade smart client to the specified version.
    CVE-2021-35515
    CVE-2021-35516
    CVE-2021-35517
    CVE-2021-36090

    Thanks

    #2
    Can you double check your SmartClient version? Apache Commons Compress is only bundled with our development branch, SmartClient 13.0d, and should not be included with any older version. Can you give us the exact version of the build you're running - for example "v12.1p_2021-10-05/EVAL Development Only" or "SNAPSHOT_v13.0d_2021-09-29/LGPL Development Only"?

    Comment


      #3
      We've now addressed the issue in SC 13.0d (development release) by bumping the affected JAR to version 1.21. The fix should be the next nightly builds dated 2021-10-06.

      Comment


        #4
        Thanks for your input.
        The smart client version we are using is SmartClient_v121p_2021-01-09_Enterprise.
        Just realized that the common-compress jar is bundles by ourself along with other jars. So with smart client (SmartClient_v121p_2021-01-09_Enterprise), if we use common_compress 1.21 will it be compatible.? So that I can just upgrade common_compress to solve the vulnerability?

        Thanks in advance for the help.

        Comment


          #5
          SmartClient 12.1 (and earlier releases) have no dependency on Apache Commons Compress JAR, so any compatibility issue would only be with your own software or other JARs that you've added that need it.

          Comment

          Working...
          X