Good Day,
My organization makes use of Nessus vulnerability scanner and recent scan picked up that Openspecimen server reportedly have some vulnerabilities namely Log4J and Tomcat - please see attached screenshot.
Could you please provide guidance on what can be done to mitigate these reported vulnerabilities. We have upcoming CyberEssentials Plus audit and External/Internal Penetration Tests and we afraid this will get flagged.
Brendan,
For Log4J: Which branch/tag did you build the code from? It should not be an issue if you built using master or the latest release.
For Tomcat: you have to figure it locally. We cannot provide Tomcat/Apache level guidance.
~Sri
Confirmed its v9.1RC4 as I reported an issue with Blank pages after install.
Hi @Brendan,
I think you can ignore the warnings as they are appearing in the integration-tests. These tests do not impact your OpenSpecimen runtime. We’ll remove these from v10.1 onward.
Thanks,
Vinayak
Unfortunately ignoring is not an option for us as it could result in failing the cyber security audit. I assume because its integration-test folder I can go ahead and delete the folder or at minimum remove log4j jar file without causing any issues with Openspecimen runtime?
You can delete the integration-test directory without any side effects at runtime.
Thanks - any comments on CVE-2022-22978 Authorization bypass in Spring Security · CVE-2022-22978 · GitHub Advisory Database As this vulnerability is also prevalent in version v9.1RC4?
OpenSpecimen does not use/invoke any of the “RegexRequestMatcher” methods. Therefore OpenSpecimen is not impacted by the vulnerability.
That being said, we are upgrading the backend tech stack in v10.1, which is slated for release in early March 2023.
