Known Vulnerabilities with Katalon Studio: unable to exclude built-in libraries

I am trying to follow the instructions posted here: https://docs.katalon.com/katalon-studio/docs/external-libraries.html#add-external-libraries to exclude the following built in libraries: postgresql-42.2.17.jre7.jar and jackson-databind-2.11.2.jar, but the option to add an excluded library is disabled. Please advise.

1 Like

The option requires Katalon Studio Enterprise license.

I suppose that you use Katalon Studio Free plan, don’t you?

My apologies for not seeing your response sooner. We have a KSE license, and it’s associated my credentials. After entering my credentials and activating KSE, I have the option to add/remove in the External Libraries section, but am I still unable to add/remove in Exclude the following built-in libraries.

@sara.leslie

@fpva needs assistance by someone from Katalon.

1 Like

Thank you, escalating internally for more assistance on this.

Hi @fpiva Frank, could you help submit your concern here. This is a dedicated support portal for our paid client only since you’re using KSE. I understand that this requires you to re-submit your concern but this could help centralize the support effort and get you the solution quicker. Community Forum here is more of a crowd-support channels with Katalon experts from many industries and backgrounds globally, its response time may delay due to the crowd-support nature. Hope this helps.

Hi All,

Kindly be informed we updated PostgreSQL from 42.2.17.jre7 to 42.3.3 to resolve the CVE-2022-26520 and CVE-2022-21724 vulnerabilities in version 8.3.5.

Download version 8.3.5 here and See what has been added in this latest release at Release notes 8.3.5.

Regards,
Shin

2 Likes

Hi @Shin and @kazurayam, currently we observed that Katalon Studio v7.8.2 and v8.4.0 contain appache-commons-text.v1.6 which has the following vulnerabilities issues

commons-text-v1.6 vulnerability CVE-2022-42889

Can you please advise on how it can be fixed?
At the moment our testing framework is enterprise version of katalon

Regards
L

You can exclude the built-in version of external libraries as documented at

And at the same time you want to add your preferable version in the Driviers folder of your project.

Hi @kazurayam, thank you for answering. I would like to ask you about KRE, we run through katalon runtime engine. How can we do the above procedure in KRE.

Thank you @kazurayam. I will try, but if there is any command line, to exclude them would be nice. Because we have our paid version of katalon for running our tests (KREs) , but locally not everybody has the paid one

I will pass this question to @vu.tran

I think you want to do the setup into the project using Katalon Studio GUI, and commit the settings into the git repository, push it to the remote git repository. The repository should include the version of external jar of your choice in the Drivers directory. You would checkout the repository from the remote Git repostiory to run the project in KRE. This project inherits the settings, so it should work in KRE the same.

1 Like

hello @kazurayam, @vu.tran

Relates to the issue with commons library appache-commons-text.v1.6 with vulnerability CVE-2022-42889.

Currently we don’t have KSE licenses in order exclude the specific plugin via Katalon studio GUI but we have KRE licenses, how can we overcome this?

thanks

You can use Katalon Studio - Standalone Editon, which is free. It is enough for managing external dependencies as we discussed.

You are only affected when this software uses the StringSubstitutor API without properly sanitizing any untrusted input.

Does anyone know if this issue really affects Katalon Studio and if so, when Katalon Studio will be updated to solve this issue by using Common-text v 1.10?

edit:
I manually added ‘v1.10’ as a plugin, but the 1.6.0 file still exists.
Is there a way to know the 1.6.0 version isn’t used?

from Katalon Studio installation details:
org.apache.commons.commons-text (1.10.0) “Apache Commons Text” [Active]
org.apache.commons.commons-text (1.6.0) “Apache Commons Text” [Resolved]

usually, any published vulnerabity came with a proposed exploit, for testing purposes.

feel free to test and let us know if any concern, and what is the attack surface.

No. I was wrong.

Excluding built-in libraries requires an Enterprise license.

Hi @Shin @vu.tran , are there any version updates for katalon to mitigate text4shell vulnerability
apache-commons-text-v1.6 vulnerability CVE-2022-42889 ??
we don’t have the KRE License we can’t exclude the library .

@mohamed.kotb

I am not a Katalon employee.
Do not mention my name, please.