Hotfix 1.10.7

Release Date: 25/08/2023

Fixes

[ESSD-215] Fixed issue that allowed the generation of documents populated with invalid values in radio groups/buttons.
[ESSD-220] Fixed issue where signature options modal would not trigger under certain conditions.
Fixed bug introduced in hotfix 1.10.6 that prevent CMD signatures from working properly in IE11.

Security Vulnerabilities

Fixed vulnerabilities

Dependency	Severity	Vulnerability
shiro-web.jar	CRITICAL	CVE-2023-34478

Dependency

Severity

Vulnerability

shiro-web.jar

CRITICAL

CVE-2023-34478

Known vulnerabilities

Dependency	Severity	Vulnerability	Description
postgresql.jar	HIGH	CVE-2020-21469	An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

Dependency

Severity

Vulnerability

Description

postgresql.jar

HIGH

CVE-2020-21469

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

Whitelist vulnerabilities

Dependency	Vulnerability	Description
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
jackson-databind	CVE-2023-35116	"The vendor’s perspective is that the product is not intended for use with untrusted input." https://nvd.nist.gov/vuln/detail/CVE-2023-35116
liquibase-core	CVE-2022-0839	This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries
h2	CVE-2021-42392 CVE-2022-23221 CVE-2021-23463 CVE-2022-45868 CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.

Dependency

Vulnerability

Description

spring-web

CVE-2016-1000027

Spring dismissed this CVE:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

jackson-databind

CVE-2023-35116

"The vendor’s perspective is that the product is not intended for use with untrusted input."
https://nvd.nist.gov/vuln/detail/CVE-2023-35116

liquibase-core

CVE-2022-0839

This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries

CVE-2021-42392
CVE-2022-23221
CVE-2021-23463
CVE-2022-45868
CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE:

"Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

Upgrade Notes

If you are upgrading directly from 1.9.x, check the migration steps to understand how to upgrade.