[SECURITY] CVEs with fixes available not yet fixed

[nivivive]

Describe the security issue
AWS inspector scan reveals the following vulnerabilities all from withinopt/connect/server-lib/ folder, but can be fixed by upgrading the versions of those relevant packages

Vulnerability Location
In opt/connect/server-lib/ folder:

1. CVE-2024-1597
   location: opt/connect/server-lib/database/postgresql-42.6.0.jar
   fix: Upgrade to 42.7.2

2. CVE-2022-46337, CVE-2015-1832, CVE-2018-1313
   location: opt/connect/server-lib/database/derby-10.10.2.0.jar
   fix: Upgrade to 10.17.1.0

3. GHSA-xpw8-rcwv-8f8p, CVE-2023-44487
   location: opt/connect/server-lib/aws/ext/netty/netty-codec-http2-4.1.97.Final.jar
   fix: Upgrade to 4.1.100.Final

4. CVE-2018-1294, CVE-2017-9801
   location: opt/connect/server-lib/commons/commons-email-1.3.1.jar
   fix: Upgrade to 1.5

5. CVE-2024-29133, CVE-2024-29131
   locations:

• opt/connect/server-lib/commons/commons-configuration2-2.8.0.jar
• opt/connect/client-lib/commons-configuration2-2.8.0.jar
  fix: Upgrade to 2.10.1

6. CVE-2020-26945
   location: opt/connect/server-lib/mybatis-3.1.1.jar
   fix: Upgrade to 3.5.6

7. CVE-2023-2976, CVE-2020-8908
   locations:

• opt/connect/server-lib/donkey/guava/guava-28.2-jre.jar
• opt/connect/client-lib/guava-28.2-jre.jar
  fix: Upgrade to 32.0.0-jre

8. CVE-2012-5783
   location: opt/connect/server-lib/commons/commons-httpclient-3.0.1.jar
   fix: Upgrade to 4.0

9. CVE-2012-5783
   location: opt/connect/server-lib/commons/commons-httpclient-3.0.1.jar
   fix: Upgrade to 4.0

10. CVE-2021-37533
    location: opt/connect/server-lib/commons/commons-net-3.3.jar
    fix: Upgrade to 3.9.0

11. CVE-2024-26308, CVE-2024-25710
    locations:

• opt/connect/server-lib/commons/commons-compress-1.24.0.jar
• opt/connect/client-lib/commons-compress-1.24.0.jar
  fix: Upgrade to 1.26.0

11. CVE-2024-8184, CVE-2024-6763
    location: opt/connect/server-lib/jetty/jetty-http-9.4.53.v20231009.jar
    fix: Upgrade to 12.0.12

12. CVE-2021-47621
    location: opt/connect/server-lib/classgraph-4.8.53.jar
    fix: Upgrade to 4.8.112

13. CVE-2024-29025
    location: opt/connect/server-lib/aws/ext/netty/netty-codec-http-4.1.97.Final.jar
    fix: Upgrade to 4.1.108.Final

14. CVE-2024-47554
    locations:

• opt/connect/server-lib/commons/commons-io-2.13.0.jar
• opt/connect/client-lib/commons-io-2.13.0.jar
  fix: Upgrade to 2.14.0

Environment (please complete the following information if it is applicable to the issue)

• OS: Linux
• Java Distribution/Version: Java17
• Connect Version: 4.5.2

Suggested remediation
See recommendations in each of the 14 vulnerabilities above

Additional context
Add any other context about the problem here.

[nivivive]

Hi, It’s been a while since I raised this issue, and I was hoping for an update. The vulnerabilities flagged by AWS Inspector in the opt/connect/server-lib/ directory are still a concern. Unfortunately, I can’t update these packages myself since they are in use and tightly integrated with the system.

Could you please provide some insight into why certain packages haven’t been upgraded in years? It would be really helpful to understand if there are specific blockers or reasons behind this.

Looking forward to hearing from you! Thanks for your time