CentOS Linux—the open, enterprise-class, platform upon which Asset Manager solutions are built—and third-party packages such as Postgres and Oracle JRE—are continuously monitored by industry and community groups to uncover flaws. Upgrade packages that fix these CentOS flaws (aka CVEs, Common Vulnerabilities and Exposures) are made available from CentOS and third parties (Postgres, Oracle JRE) on an ongoing basis.
This page lists security enhancements on our radar. It's those CVEs that Asset Manager is actively addressing and expects to have fully resolved in the upcoming releases of Asset Manager Enterprise Edition.
| CVE Identifier | Highest Severity | Vulnerable Package | Date Reported | 3rd Party Patch Available? | Latest vulnerable FAM | Notes on vulnerability | Resolved FAM Version | FAM GA |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-22218 | high | libssh2-1.8.0-4.el7.x86_64 | 08/22/2023 | awaiting patch | 4.9.0.2 | An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory. | ||
| critical | postgresql-42.2.2.jar (lumeta-api RPM) |
| postgresql-42.6.0.jar | 4.9.0.2 | Various issues regarding PostgreSQL's official JDBC driver. | 4.10 | ||
| CVE-2023-38325 | high | cryptography-40.0.2-cp36-abi3-manylinux_2_17_x86_64.manylinux2014_x86_64.whl | 07/14/2023 | awaiting patch | 4.9.0.2 | Mishandles SSH certificates that have critical options. | ||
| high | bind-export-libs-9.11.4-26.P2.el7_9.13.x86_64 bind-libs-lite-9.11.4-26.P2.el7_9.13.x86_64 bind-utils-9.11.4-26.P2.el7_9.13.x86_64 bind-license-9.11.4-26.P2.el7_9.13.noarch bind-libs-9.11.4-26.P2.el7_9.13.x86_64 | 06/21/2023 | awaiting patch | 4.9.0.2 | The effectiveness of the cache-cleaning algorithm used in `named` can be severely diminished by querying the resolver for specific RRsets in a certain order, effectively allowing the configured `max-cache-size` limit to be significantly exceeded. | |||
| CVE-2023-30861 | high |
| 05/02/2023 | awaiting patch | 4.9.0.2 | A response containing data intended for one client may be cached and subsequently sent by the proxy to other clients | ||
| CVE-2023-25577 CVE-2023-23934 | high | | 02/14/2023 | awaiting patch | 4.9.0.2 | Various werkzeug issues | ||
| CVE-2019-19919 CVE-2021-23369 CVE-2021-23383 WS-2020-0450 WS-2019-0064 CVE-2019-20920 WS-2019-0103 | critical | | 12/20/2019 | handlebars-v4.7.8.js | 4.9.0.2 | Various handlebars issues | 4.10 | |
| CVE-2023-37920 CVE-2022-23491 | critical | | 07/25/2023 | certifi-2023.7.22-py3-none-any.whl | 4.9.0.2 | Various certifi issues | 4.10 |