Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Product Name

CIS-CAT Pro Assessor v3

Product Version

All versions prior to 3.0.76

Date



Problem

Info

Software contains security vulnerabilities present in embedded, third party dependencies.

Solution

Upgrade to the latest version.

  1. Login to CIS WorkBench

  2. Navigate to Downloads on menu bar

  3. Select Tag for ‘CIS-CAT Assessor’, navigate to the latest version, and download

  4. Replace installations of CIS-CAT Pro Assessor v3 in your environment

Note

Third party dependencies are code libraries produced by sources outside CIS. CIS-CAT utilizes these libraries for common software activities, such as authentication and logging.

Impact

The risk to individual organizations has been assessed as low given CIS-CAT is not outward facing. We recommend our Members follow best practices and update to the latest version as soon as possible. See below for a list of the associated dependencies that have been replaced.

Third Party Dependency Details

See below for a list of the associated dependencies(Dependency column) that have been replaced. The Resolved Dependency column shows the dependency version that resolved security findings that CIS-CAT has implemented in the latest version.

Product

Dependency

Resolved Dependency

Assessor v3 Full and Dissolvable

log4j-core-2.3.jar

log4j-core-2.14.1.jar

log4j-api-2.14.1.jar

slf4j-api-1.7.32

Assessor v3 Full and Dissolvable

xbean_xpath.jar

xmlbeans-3.1.0

Assessor v3 Full and Dissolvable

xbean.jar

xmlbeans-3.1.0

Assessor v3 Full and Dissolvable

postgresql-42.2.4.jre6.jar

postgresql-42.2.13.jre6.jar

Assessor v3 Full and Dissolvable

xmlsec-1.5.6.jar

xmlsec-2.2.3

Assessor v3 Full and Dissolvable

bcprov-jdk15on-1.50

bcprov-jdk15on-1.69

Assessor v3 Full and Dissolvable

commons-compress-1.20

commons-compress-1.21

Keywords; v3 Vulnerability Dependency

Content by Label

Content by Label
showLabelsfalse
showSpacefalse
cqllabel = "sbp_fer"

Copyright © 2020

Center for Internet Security®


Page Properties
hiddentrue

Action

Name(s)

Date

Linked ticket

Created by

Reviewed by

Approved by

Remove by