Known security issues in KSE 8.3

Please can I get some advice regarding today’s email from Katalon “[Action Required] Known Vulnerabilities with Katalon Studio”?

Is it necessary for us to upgrade postgresql and jackson-databind in all our Katalon projects if all we are doing is creating and executing automation against internal apps (within our private network)?

Also, while the postgresql upgrade is simple, with one simple jar file, I’m not sure about jackson-databind. The link goes to a Maven repository, I don’t see anywhere on the page that gives me a download for a jar file, so does this mean I have to download the maven project and build it myself in Eclipse?

Hi @gengland

You can download the latest jackson-databind library in Maven Central Repository. Here’s a link to version 2.13.2.2: https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.2.2. In Files, click bundle to download the library.

Happy Testing

Jass

3 Likes

Perfect, thanks Jass

1 Like

Hi All,

To ensure security, we made some updates regarding Security Compliance in version 8.3.5 as follows:

  • [Spring4Shell] Updated spring-context from 5.1.0.RELEASE to 5.3.19.
  • Updated jackson-databind from 2.11.2 to 2.13.2.2 to resolve the CVE-2020-36518 vulnerability.
  • Updated PostgreSQL from 42.2.17.jre7 to 42.3.3 to resolve the CVE-2022-26520 and CVE-2022-21724 vulnerabilities.

Download version 8.3.5 here and See what’s new in this latest release at Release notes 8.3.5.

Regards,
Shin

2 Likes