Content Security Reporter 2.9.2 Release Notes
Releases can introduce new features and enhancements or update platform support.
This release includes JRE upgrade, FQDN changes, support for ePO™ CU18, and fixed known issues and vulnerabilities.
Vulnerabilities Fixed
Here is a list of Vulnerabilities Fixed in CSR 2.9.2.
| CVE Identifier | Component | Security Risk | Score | Fix |
|---|---|---|---|---|
| CVE-2022-45047 | Apache Mina SSHD :: Common support utilities 2.3.0 | Critical | 9.8 |
Wildfly 26.1.3.Final |
| CVE-2019-10202 | Data Mapper for Jackson 1.8.5 | Critical | 9.8 | jackson-core-2.14.3.jar |
| CVE-2022-22965 | Spring Framework 4.1.6.RELEASE | Critical | 9.1 | Spring Framework 5.3.30 |
| CVE-2018-1270 | Spring Framework 4.1.6.RELEASE | High | 8.8 | Spring Framework 5.3.30 |
| CVE-2018-1275 | Spring Framework 4.1.6.RELEASE | High | 8.5 | Spring Framework 5.3.30 |
|
CVE-2018-15756, CVE-2015-5211 |
Spring Framework 4.1.6.RELEASE | High | 7.5 | Spring Framework 5.3.30 |
| CVE-2016-1000027 | Spring Framework 4.1.6.RELEASE | High | 7.3 | Spring Framework 5.3.30 |
| BDSA-2022-0847 | Spring Framework 4.1.6.RELEASE | High | 7.1 | Spring Framework 5.3.30 |
| CVE-2022-46364 | Apache CXF cxf-3.4.4 | High | 8.7 | Apache CXF 3.5.6 |
| CVE-2021-40690 | Apache CXF cxf-3.4.4 | High | 7.5 | Apache CXF 3.5.6 |
| CVE-2023-44487 | Apache Tomcat 9.0.79 | High | 7 | Wildfly 26.1.3.Final |
| CVE-2020-15180 | MariaDB 10.4.13 | High | 8.8 | MariaDB 10.11.5 |
|
CVE-2022-0778, CVE-2018-25032, CVE-2022-27378, |
MariaDB 10.4.13 | High | 7.5 | MariaDB 10.11.5 |
| CVE-2020-28912 | MariaDB 10.4.13 | High | 7.3 | MariaDB 10.11.5 |
| CVE-2021-3711 | MySQL Connector/J 6.0.2 | Critical | 9.8 | MariaDB 10.11.5 |
| CVE-2023-22102 | MySQL Connector/J 6.0.2 | High | 8.3 | MariaDB 10.11.5 |
| CVE-2022-21824 | MySQL Connector/J 6.0.2 | High | 8.2 | MariaDB 10.11.5 |
| CVE-2018-3258 | MySQL Connector/J 6.0.2 | High | 7.7 | MariaDB 10.11.5 |
| CVE-2020-1967 | MySQL Connector/J 6.0.2 | High | 7.5 | MariaDB 10.11.5 |
|
CVE-2021-44531, CVE-2021-3712, CVE-2021-3450 |
MySQL Connector/J 6.0.2 | High | 7.4 | MariaDB 10.11.5 |
|
CVE-2015-2156 |
Netty Project 3.6.1.Final, Netty Project 3.6.1.Final |
High | 7.5 | Netty Project 3.10.6.Final |
| CVE-2023-3635 | OkIO 1.17.5 | High | 7.5 | Wildfly 26.1.3.Final |
| CVE-2022-34169 | Open JDK 8u312-b07 | High | 7.4 | Open JDK 8u382b05 |
| Open JDK 8u382b05 | Oracle Database JDBC Drivers 11.2.0.4 | High | 8.1 | MariaDB 10.11.5 |
| CVE-2022-21724 | PostgreSQL JDBC Driver (pgjdbc) 9.4-1208 | High | 8.8 | MariaDB 10.11.5 |
| CVE-2020-13692 | PostgreSQL JDBC Driver (pgjdbc) 9.4-1208 | High | 8.5 | MariaDB 10.11.5 |
| CVE-2018-10936 | PostgreSQL JDBC Driver (pgjdbc) 9.4-1208 | High | 8.1 | MariaDB 10.11.5 |
| CVE-2023-39017 | Quartz Enterprise Job Scheduler 2.2.3 | Critical | 9.8 | Quartz 2.3.2 |
| CVE-2019-13990 | Quartz Enterprise Job Scheduler 2.2.3 | High | 7.9 | Quartz 2.3.2 |
|
CVE-2022-31690, CVE-2022-22978, CVE-2022-22978 |
Spring Security 4.0.1.RELEASE | High | 7.1 | Spring Security 5.6.12 |
Installing and upgrading Content Security Reporter
NOTE: Only the 2.9.1 version supports upgrading to 2.9.2. For the earlier versions such as 2.5, 2.6, 2.7, 2.8, and 2.9, you must upgrade to 2.9.1 and then upgrade to 2.9.2.
- Refer Install Content Security Reporter for the First Time for information about installing the software.
- Prepare for your upgrade
NOTE:
- If you are using CSR 2.8 or above version, please copy
csr.keystorefrom..\reporter\jboss\standalone\to a safe location, rename it to csr.keystore.old along with the latest backup.xml file.configuration\ - If you are using CSR 2.7 or older version, please copy
keystore.jksfrom..\reporter\jboss\standalone\to safe location.configuration\
- Upgrade the software automatically from CSR 2.9.1 to CSR 2.9.2.
- If you are planning to upgrade from older version like CSR 2.6, 2.7, 2.8 or 2.9 to CSR 2.9.2 you have to follow, Prepare for your upgrade and Upgrade the software manually.
Fixed Issues
| Reference | Issue description |
|---|---|
|
CSR-686 |
On adding CSR DB, ePO audit log status was showing failed. This issue is resolved now. |
|
CSR-712 |
CSR is upgraded to the latest version of JRE. |
|
CSR-714 |
The existing Zulu version in CSR was vulnerable (CVE-2023-21930, CVE-2023-21937, CVE-2023-21938, CVE-2023-21939, CVE-2023-21954, CVE-2023-21967, CVE-2023-21968). It is updated to the latest version. |
| CSR-718 | Support for Trellix ePO 5.10.0 CU 18 (supports Content Support Policy changes) |
|
CSR-723 |
CSR 2.9.2 points to the latest changes for extended FQDNs in CSR. |
|
CSR-726 |
CSR Version 2.9.1.40 has the following vulnerability in H2-Database and Maria Database. H2-Databse: CVE-2021-42392 Maria Database: CVE-2022-24048, CVE-2022-24050, CVE-2022-24051 and CVE-2022-24052 It is updated to the latest non-vulnerable version. |
|
CSR-783 |
In the Content Security Report, the Log4j file was vulnerable. It was addressed with the latest Log4j. |