On this page we inform you about:
- Current security vulnerabilities
- Affected DocBridge® products
- Steps for resolving
November 2023 | CVE-2023-46604
List of impacted products:
Not affected: Other Compart products, besides those mentioned above, are not affected by this vulnerability.
In general, we recommend the follow actions:
March 2022 | CVE-2022-22965
Dear Compart customers,
As you may have heard from the press, a vulnerability in a widely used framework for java-based enterprise application development (Spring Framework) was recently discovered and published as CVE-2022-22965. Immediately after this security vulnerability became known on March 31, 2022, Compart began investigating possible effects on its products and taking counter measures.
The vulnerability is fixed in the following versions of the Spring framework:
Spring Boot versions 2.5.12 and 2.6.6 which depend on the above have also been published. CVE-2022-22965 only affects Spring versions using Java >= 9 (Java 8 is not affected).
According to https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement#am-I-impacted :
The following Compart products utilize versions of the Spring frameworks susceptible to the CVE-2022-22965 vulnerability, however, they do not use the annotation for data binding controller method parameters that result in the vulnerability:
Despite the fact that the DocBridge products indicated in the section "Which Compart products are affected" do not use the compromised annotation for data binding controller method parameters, Compart has nevertheless prepared hotfixes for these affected products, upgrading the Spring framework to versions in which the vulnerability has been mitigated (5.3.18+, and 5.2.20+ as indicated above).
Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.
December 2021 | CVE-2021-44228
Dear Compart customers,
As you may have heard from the press, a vulnerability in a widely used open source Java library (Log4j2) was recently discovered and published as CVE-2021-44228. Immediately after this security vulnerability became known on December 10, 2021, Compart began investigating possible effects on its products and taking counter measures.
One Compart product uses the library affected by the security vulnerability (Log4j2 <= 2.14.1). The affected product is:
Immediately after the security gap became known, all internal IT systems were checked for vulnerability in addition to our own software, the recommended counter measures were initiated and available patches were installed. We will continue to monitor the situation closely and inform our customers promptly if new information becomes available.