KevinCollard | Posts: 1

CVE-2022-24823 onespan Java sdk

Tuesday, June 27, 2023 at 01:26pm
0 votes

The onespan Java sdk (sdk-11.51-jar-with-dependencies.jar) contains a version of netty (4.1.74.Final) that has security vulnerability CVE-2022-24823, the sdk-11.51.jar has references to it,  and our company (and clients) won't allow it to be deployed with security vulnerabilities.

Netty has it patched from  Version 4.1.77.Final  onwards.

Can we get a build with the netty patches or is there something else we can do to work around the issue?

 

Approved Answer
Duo_Liang | Posts: 3776

Reply to: CVE-2022-24823 onespan Java sdk

Tuesday, June 27, 2023 at 02:10pm
1 votes

Hi Kevin,

 

Thanks for reporting this to us!

I'd like to create a support ticket on your behalf and escalate it to the R&D team.

The 11.51 SDK source code is hosted in this Git branch, you can modify the POM file and make your own maven build, however it's not very suggested to do so.

 

Duo

Hello! Looks like you're enjoying the discussion, but haven't signed up for an account.

When you create an account, we remember exactly what you've read, so you always come right back where you left off

LoginSign Up