Upgrade of insecure libraries/packages

1

Hello. My name is Ricardo Santos from Mozambique and in our work to place the latest openmrs release in production, we did a vulnerability scan for the libraries / packages used by openmrs and found the following to be vulnerable to critical vulnerabilities:

Openmrs 2.6.11

  • com.fasterxml.jackson.core:jackson-core - 2.14.1 => com.fasterxml.jackson.core:jackson-core - 2.15.0
  • org.liquibase:liquibase-core - 4.4.3 => org.liquibase:liquibase-core - 4.8.0
  • org.postgresql:postgresql - 42.5.1 => org.postgresql:postgresql - 42.5.5
  • com.google.protobuf:protobuf-java - 3.19.4 => com.google.protobuf:protobuf-java - 3.25.5
  • org.springframework:spring-web - 5.3.23 => org.springframework:spring-web - 6.1.14
  • org.springframework:spring-webmvc - 5.3.23 => org.springframework:spring-webmvc - 6.1.14

openmrs 2.x

  • org.apache.tomcat:tomcat-coyote - 8.5.100 => org.apache.tomcat:tomcat-coyote - 9.0.90
  • com.mchange:c3p0 - 0.9.2.1 => com.mchange:c3p0 - 0.9.5.4
  • commons-beanutils:commons-beanutils - 1.9.3 => commons-beanutils:commons-beanutils - 1.9.4
  • commons-io:commons-io - 2.5 => commons-io:commons-io - 2.14.0
  • org.hibernate:hibernate-core - 4.3.9.Final => org.hibernate:hibernate-core - 5.4.24.Final
  • com.fasterxml.jackson.core:jackson-core - 2.9.8 => com.fasterxml.jackson.core:jackson-core - 2.15.0
  • com.fasterxml.jackson.core:jackson-databind - 2.9.8 => com.fasterxml.jackson.core:jackson-databind - 2.12.7.1
  • org.liquibase:liquibase-core - 2.0.5 => org.liquibase:liquibase-core - 4.8.0
  • Abandonar o Log4j e adoptar alternativas como o Logback
  • mysql:mysql-connector-java - 5.1.45 => mysql:mysql-connector-java - 8.0.28
  • org.springframework:spring-beans - 4.1.4.RELEASE => org.springframework:spring-beans- 5.2.22.RELEASE
  • org.springframework:spring-webmvc - 4.1.4.RELEASE => org.springframework:spring-webmvc - 6.1.14
  • com.thoughtworks.xstream:xstream - 1.4.11.1 => com.thoughtworks.xstream:xstream - 1.4.21
  • xerces:xercesImpl - 2.8.0 => xerces:xercesImpl - 2.12.2

Is it possible to upgrade these libraries in a future release?

The vulnerability scanner used was snyk.

Kind regards

RS

2

Our latest release is 2.7.3, which should have a number of the above upgraded.

1 Like
3

Thank you Daniel.

Will talk with the development team.

RS