CVE-2022-42889 - autoclosed

[instinet-tony-cowell]

Support Question

Hi, is there any eta on a new version of the BDK that mitigates CVE-2022-42899? I see the latest version is exposed to it? https://mvnrepository.com/artifact/org.finos.symphony.bdk/symphony-bdk-core/2.9.0 Thanks

[symphony-soufiane]

Hi @instinet-tony-cowell, thank you for raising this ticket. I guess there was a typo and that you meant CVE-2022-42889 regarding a RCE exploiting apache:commons-text which is the only CVE listed in https://mvnrepository.com/artifact/org.finos.symphony.bdk/symphony-bdk-core/2.9.0.

CVE-2022-42899 has nothing to do with this repository, it concerns Bentley MicroStation based apps which is a 2D/3D graphics platform.

A fix will be released on Monday morning at the latest. We use Mend Whitsource as a security scanning tool but it somehow did not capture this CVE. I will check what happened and make sure no eventual CVE will go unnoticed in the future.

[mend-for-github-com[bot]]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[instinet-tony-cowell]

Hi @symphony-soufiane. You are quite right. Fat fingers on my part. I did indeed mean CVE-2022-42889. I'll keep an eye out for the release. Thanks for the quick turn-around!

[symphony-soufiane]

Please find the new 2.10.0 release: https://github.com/finos/symphony-bdk-java/releases/tag/2.10.0