Hotfix 1.10.9

Release Date: 05/12/2023

Fixes

Fixes a bug with iText library that made it perform a full document scan whenever it was edited/consulted. This caused severe performance issues, especially in terms of CPU usage.

Security Vulnerabilities

Fixed vulnerabilities

None

Known vulnerabilities

Dependency	Severity	Vulnerability	Description
bouncycastle	MEDIUM	CVE-2023-33202	The iText 7.1.x and 7.2.x suite relies on version 1.67 of the BouncyCastle provider. We have reached out to the vendor, who has assured us that a solution is forthcoming.

Dependency

Severity

Vulnerability

Description

bouncycastle

MEDIUM

CVE-2023-33202

The iText 7.1.x and 7.2.x suite relies on version 1.67 of the BouncyCastle provider. We have reached out to the vendor, who has assured us that a solution is forthcoming.

Whitelist vulnerabilities

Dependency	Vulnerability	Description
spring-web	CVE-2016-1000027	Spring dismissed this CVE: "The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data." https://nvd.nist.gov/vuln/detail/CVE-2016-1000027
jackson-databind	CVE-2023-35116	"The vendor’s perspective is that the product is not intended for use with untrusted input." https://nvd.nist.gov/vuln/detail/CVE-2023-35116
liquibase-core	CVE-2022-0839	This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries
h2	CVE-2021-42392 CVE-2022-23221 CVE-2021-23463 CVE-2022-45868 CVE-2018-14335	These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments
itext-core	CVE-2022-24198	iText dismissed this CVE: "Vendor does not view this as a vulnerability and has not found it to be exploitable." https://nvd.nist.gov/vuln/detail/CVE-2022-24198
itext-*	CVE-2021-43113	This library is included in iText’s bundle but eSign never uses said library. Removed from eSign 1.11.0 and upwards.
quartz	CVE-2023-39017	Quartz functionalities are not exposed to the outside. eSign provides no way of passing unchecked arguments to quartz.
jose4j	CVE-2023-31582	This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).

Dependency

Vulnerability

Description

spring-web

CVE-2016-1000027

Spring dismissed this CVE:

"The vendor’s position is that untrusted data is not an intended use case. The product’s behavior will not be changed because some users rely on deserialization of trusted data."
https://nvd.nist.gov/vuln/detail/CVE-2016-1000027

jackson-databind

CVE-2023-35116

"The vendor’s perspective is that the product is not intended for use with untrusted input."
https://nvd.nist.gov/vuln/detail/CVE-2023-35116

liquibase-core

CVE-2022-0839

This vulnerability does not affect eSign as it does not support external inputs to liquibase libraries

CVE-2021-42392
CVE-2022-23221
CVE-2021-23463
CVE-2022-45868
CVE-2018-14335

These vulnerabilities only affect H2 databases, which are intended for demo purposes only and should not be used in production environments

itext-core

CVE-2022-24198

iText dismissed this CVE:

"Vendor does not view this as a vulnerability and has not found it to be exploitable."
https://nvd.nist.gov/vuln/detail/CVE-2022-24198

itext-*

CVE-2021-43113

This library is included in iText’s bundle but eSign never uses said library. Removed from eSign 1.11.0 and upwards.

quartz

CVE-2023-39017

Quartz functionalities are not exposed to the outside.
eSign provides no way of passing unchecked arguments to quartz.

jose4j

CVE-2023-31582

This vulnerability does not affect eSign as it does not allow the configuration of the number of hashing iterations (which is set at a safe level).