Fixing the following Vulnerabilities reported from a snyk Scan + Minimum Mule Runtime 4.3

[sup-mule]

JSON Logger 2.0.1 Vulnerabilities Report

Tested 130 dependencies for known issues, found 33 issues, 33 vulnerable paths.

Critical Severity

• ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:woodstox-core@5.0.2 introduced by org.mule.services:mule-service-weave:mule-service@2.1.2 > org.mule.weave:runtime@2.1.2 > org.mule.weave:core-modules@2.1.2 > com.fasterxml.woodstox:woodstox-core@5.0.2 This issue was fixed in versions: 5.3.0
• ✗ Remote Code Execution (RCE) [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089453] in org.mule.runtime:mule-core@4.1.1 introduced by org.mule.runtime:mule-core@4.1.1 This issue was fixed in versions: 4.3.0
• ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089455] in org.mule.runtime:mule-core@4.1.1 introduced by org.mule.runtime:mule-core@4.1.1 This issue was fixed in versions: 4.3.0
• ✗ Remote Code Execution [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2436751] in org.springframework:spring-beans@5.1.6.RELEASE introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-beans@5.1.6.RELEASE This issue was fixed in versions: 5.2.20, 5.3.18

High Severity

• ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-2806360] in org.yaml:snakeyaml@1.18 introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18 This issue was fixed in versions: 1.31
• ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302] in com.fasterxml.jackson.core:jackson-databind@2.10.3 introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
• ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244] in com.fasterxml.jackson.core:jackson-databind@2.10.3 introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
• ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-1078499] in net.minidev:json-smart@2.3 introduced by com.jayway.jsonpath:json-path@2.4.0 > net.minidev:json-smart@2.3
• ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-DOM4J-174153] in dom4j:dom4j@1.6.1 introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > dom4j:dom4j@1.6.1 No upgrade or patch available
• ✗ Denial of Service (DoS) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGJSON-2841369] in org.json:json@20160810 introduced by org.mule.runtime:mule-metadata-model-json@1.1.1 > org.everit.json:org.everit.json.schema@1.5.0 > org.json:json@20160810 This issue was fixed in versions: 20180130
• ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-DOM4J-2812975] in dom4j:dom4j@1.6.1 introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > dom4j:dom4j@1.6.1 No upgrade or patch available
• ✗ XML External Entity (XXE) Injection [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHEXMLBEANS-1060048] in org.apache.xmlbeans:xmlbeans@2.6.0 introduced by org.mule.runtime:mule-metadata-model-xml@1.1.1 > org.apache.xmlbeans:xmlbeans@2.6.0 This issue was fixed in versions: 3.0.0

Medium Severity

• ✗ Denial of Service (DoS) (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038424] in com.fasterxml.jackson.core:jackson-databind@2.10.3 introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
• ✗ Denial of Service (DoS) (new) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426] in com.fasterxml.jackson.core:jackson-databind@2.10.3 introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2326698] in com.fasterxml.jackson.core:jackson-databind@2.10.3 introduced by com.fasterxml.jackson.core:jackson-databind@2.10.3
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-NETMINIDEV-1298655] in net.minidev:json-smart@2.3 introduced by com.jayway.jsonpath:json-path@2.4.0 > net.minidev:json-smart@2.3
• ✗ Deserialization of Untrusted Data [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327] in com.google.code.gson:gson@2.8.5 introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > com.google.code.gson:gson@2.8.5 This issue was fixed in versions: 2.8.9
• ✗ Directory Traversal [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMMONSIO-1277109] in commons-io:commons-io@2.6 introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > commons-io:commons-io@2.6 This issue was fixed in versions: 2.7
• ✗ Server-side Request Forgery (SSRF) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGMULERUNTIME-1089457] in org.mule.runtime:mule-core@4.1.1 introduced by org.mule.runtime:mule-core@4.1.1 This issue was fixed in versions: 4.3.0
• ✗ Improper Output Neutralization for Logs [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2329097] in org.springframework:spring-core@5.0.4.RELEASE introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE This issue was fixed in versions: 5.3.12, 5.2.18
• ✗ Improper Input Validation [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2330878] in org.springframework:spring-core@5.0.4.RELEASE introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE This issue was fixed in versions: 5.2.19.RELEASE, 5.3.14
• ✗ Multipart Content Pollution [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-460644] in org.springframework:spring-core@5.0.4.RELEASE introduced by com.mulesoft.muleesb.modules:anypoint-mq-rest-client@3.1.0 > org.springframework:spring-core@5.0.4.RELEASE This issue was fixed in versions: 4.3.14.RELEASE, 5.0.5.RELEASE
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2434828] in org.springframework:spring-expression@4.1.9.RELEASE introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > org.mule.runtime:mule-module-spring-config@4.1.1 > org.springframework:spring-context@4.1.9.RELEASE > org.springframework:spring-expression@4.1.9.RELEASE This issue was fixed in versions: 5.2.20.RELEASE, 5.3.17
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823313] in org.springframework:spring-beans@5.1.6.RELEASE introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-beans@5.1.6.RELEASE This issue was fixed in versions: 5.2.22.RELEASE, 5.3.20
• ✗ Improper Handling of Case Sensitivity [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2689634] in org.springframework:spring-context@4.1.9.RELEASE introduced by org.mule.runtime:mule-module-extensions-spring-support@4.1.1 > org.mule.runtime:mule-module-spring-config@4.1.1 > org.springframework:spring-context@4.1.9.RELEASE This issue was fixed in versions: 5.2.21, 5.3.19
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGSPRINGFRAMEWORK-2823310] in org.springframework:spring-messaging@5.1.6.RELEASE introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > org.mule.connectors:mule-jms-client@1.6.2 > org.springframework:spring-jms@5.1.6.RELEASE > org.springframework:spring-messaging@5.1.6.RELEASE This issue was fixed in versions: 5.2.22.RELEASE, 5.3.20
• ✗ Stack-based Buffer Overflow [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016891] in org.yaml:snakeyaml@1.18 introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18 This issue was fixed in versions: 1.31
• ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-537645] in org.yaml:snakeyaml@1.18 introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18 This issue was fixed in versions: 1.26

Low Severity

• ✗ Information Disclosure [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMGOOGLEGUAVA-1015415] in com.google.guava:guava@25.1-jre introduced by org.mule.connectors:mule-jms-connector:mule-plugin@1.6.3 > com.google.guava:guava@25.1-jre This issue was fixed in versions: 30.0-android, 30.0-jre
• ✗ Stack-based Buffer Overflow [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016888] in org.yaml:snakeyaml@1.18 introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18 This issue was fixed in versions: 1.32
• ✗ Stack-based Buffer Overflow [Low Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGYAML-3016889] in org.yaml:snakeyaml@1.18 introduced by org.mule.runtime:mule-core@4.1.1 > org.yaml:snakeyaml@1.18 This issue was fixed in versions: 1.31