CIS-CAT Pro Assessor v3 Vulnerability updates


Product Name

CIS-CAT Pro Assessor v3

Product Version

All versions prior to 3.0.76

Date

Nov 18, 2021



 

Problem

Software contains security vulnerabilities present in embedded, third party dependencies.

Solution

Upgrade to the latest version.

  1. Login to CIS WorkBench

  2. Navigate to Downloads on menu bar

  3. Select Tag for ‘CIS-CAT Assessor’, navigate to the latest version, and download

  4. Replace installations of CIS-CAT Pro Assessor v3 in your environment

Third party dependencies are code libraries produced by sources outside CIS. CIS-CAT utilizes these libraries for common software activities, such as authentication and logging.

Impact

The risk to individual organizations has been assessed as low given CIS-CAT is not outward facing. We recommend our Members follow best practices and update to the latest version as soon as possible. See below for a list of the associated dependencies that have been replaced.

Third Party Dependency Details

See below for a list of the associated dependencies(Dependency column) that have been replaced. The Resolved Dependency column shows the dependency version that resolved security findings that CIS-CAT has implemented in the latest version.

Product

Dependency

Resolved Dependency

Product

Dependency

Resolved Dependency

Assessor v3 Full and Dissolvable

log4j-core-2.3.jar

log4j-core-2.14.1.jar

log4j-api-2.14.1.jar

slf4j-api-1.7.32

Assessor v3 Full and Dissolvable

xbean_xpath.jar

xmlbeans-3.1.0

Assessor v3 Full and Dissolvable

xbean.jar

xmlbeans-3.1.0

Assessor v3 Full and Dissolvable

postgresql-42.2.4.jre6.jar

postgresql-42.2.13.jre6.jar

Assessor v3 Full and Dissolvable

xmlsec-1.5.6.jar

xmlsec-2.2.3

Assessor v3 Full and Dissolvable

bcprov-jdk15on-1.50

bcprov-jdk15on-1.69

Assessor v3 Full and Dissolvable

commons-compress-1.20

commons-compress-1.21

Keywords; v3 Vulnerability Dependency

Content by Label


Copyright © 2020

Center for Internet Security®