Last updated: Thu 29 April 2022, 4:30pm AEST
Vulnerabilities have been discovered in Java JDK/JRE which affects any Java application running on unpatched versions of Java 7 through to 18.
The version and maintenance of JDK/JRE running on a customer site is the responsibility of the customer.
More details on the issues are available through CVE-2022-21449 & CVE-2022-21476, but in summary the vulnerabilities enables possible:
CVE-2022-21449
- Man in the middle attack: Forgery of an SSL certificates and the Java web client fails to reject it.
- Authentication bypass: Authentication tokens signed using ECDSA or DSA (JWTs, SAML assertions, OIDC id tokens etc) could be forged potentially allowing impersonation.
CVE-2022-21476
- XML Security: Usage of XPath Transform to access local ‘.xml’ files remotely.
Please return to this blog post for updates from the Objective Team.
Are my Objective solutions affected?
Since the issue was initially identified, the Objective Product Development Team has been actively investigating the impact of the vulnerability across the entire range of Objective solutions. Each product has been updated with a status, denoting the current state of the investigation and the next steps to be taken.
The following table will be updated as the status of each investigation is updated:
- Not Affected: Vulnerability does not affect this product
- Mitigated: Security configuration put in place whilst awaiting Patch
- Mitigation Available: A Security configuration is available to be applied
- Patch Pending: Investigation complete. Mitigation in progress
- Patch Applied: Patch has been applied by the Objective Team
- Patch Available: Patch available for customers to install. Contact Objective Support for details
Content Solutions
Product | Status CVE-2022-21449 | Status CVE-2022-21476 |
Objective ECM 11.1 | Not Affected | Not Affected* |
Objective ECM 11.0.x | Not Affected | Not Affected* |
Objective ECM 10.x | Not Affected | Not Affected* |
Objective Connect | Not Affected | Not Affected |
Objective Connect Link (on-premise) | Not Affected | Not Affected* |
Objective Connect Link (cloud) | Not Affected | Not Affected |
Objective Gov365 (on-premise) | Not Affected | Not Affected |
Objective Gov365 (Cloud) | Not Affected | Not Affected |
Objective Redact | Not Affected | Not Affected |
Objective Ministerials | Not Affected | As per ECM |
Objective OpenGov | Not Affected | As per ECM |
RegTech
Product | Status CVE-2022-21449 | Status CVE-2022-21476 |
Objective RegWorks (cloud) | Not Affected | Not Affected |
Objective Regworks Mobile | Not Affected | Not Affected |
Objective Regworks (on-prem) | Not Affected | Not Affected |
Objective Regworks Mobile (on-prem) | Not Affected | Not Affected |
Objective Reach | Not Affected | Not Affected |
Keystone
Product | Status CVE-2022-21449 | Status CVE-2022-21476 |
Objective Keystone | Not Affected | Not Affected |
Planning and Building
Product | Status CVE-2022-21449 | Status CVE-2022-21476 |
Objective Trapeze | Not Affected | Not Affected |
AlphaOne | Not Affected | Not Affected |
GoGet | Not Affected | Not Affected |
Footnotes:
*A Java Bug exists in the latest JDK 11.0.15, 11.0.16 and JDK 8 u331 that introduces a start-up issue for the Wildfly Application server within the ECM environment