Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0042746Openbravo ERPA. Platformpublic2020-01-08 15:152020-01-10 09:15
Reporteralostale 
Assigned Toalostale 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR20Q2 
Merge Request Status
Review Assigned Tocaristu
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0042746: CVE in quartz 2.3.1
DescriptionCurrent quartz 2.3.1 has a known vulnerability (CVE-2019-13990 [1]).

Even it is not exploitable for Openbravo as it only affects in case jobs are defined as xml files, we should get updated to the latest version.

[1] https://nvd.nist.gov/vuln/detail/2019-13990 [^]
Steps To ReproduceNot exploitable for Openbravo (see description).
Proposed SolutionUpdate to current latest version 2.3.2 which solves the issue [1].

[1] https://github.com/quartz-scheduler/quartz/issues/467 [^]
Additional Information
TagsNo tags attached.
Relationships
related to feature request 0041483 closed caristu update quartz 
depends on backport 00427473.0PR20Q1 closed alostale CVE in quartz 2.3.1 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2020-01-08 15:15alostaleNew Issue
2020-01-08 15:15alostaleAssigned To => platform
2020-01-08 15:15alostaleOBNetwork customer => No
2020-01-08 15:15alostaleModules => Core
2020-01-08 15:15alostaleTriggers an Emergency Pack => No
2020-01-08 15:15alostaleRelationship addedrelated to 0041483
2020-01-08 15:15alostaleReview Assigned To => caristu
2020-01-08 15:27alostaleNote Added: 0116696
2020-01-08 15:33alostaleStatusnew => scheduled
2020-01-08 15:33alostaleAssigned Toplatform => alostale
2020-01-10 08:59hgbotCheckin
2020-01-10 08:59hgbotNote Added: 0116753
2020-01-10 08:59hgbotStatusscheduled => resolved
2020-01-10 08:59hgbotResolutionopen => fixed
2020-01-10 08:59hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/f139045c1bba18b0abd882b62a7fc62095f973f2 [^]
2020-01-10 09:15caristuNote Added: 0116755
2020-01-10 09:15caristuStatusresolved => closed
2020-01-10 09:15caristuFixed in Version => 3.0PR20Q2

Notes
(0116696)
alostale   
2020-01-08 15:27   
MR: https://gitlab.com/openbravo/product/openbravo/merge_requests/31 [^]
(0116753)
hgbot   
2020-01-10 08:59   
Repository: erp/devel/pi
Changeset: f139045c1bba18b0abd882b62a7fc62095f973f2
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Wed Jan 08 15:20:48 2020 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/f139045c1bba18b0abd882b62a7fc62095f973f2 [^]

fixed BUG-42746: CVE in quartz 2.3.1

  Updated quartz to 2.3.2 to solve reported CVE.

---
M legal/Licensing.txt
A lib/runtime/quartz-2.3.2.jar
R lib/runtime/quartz-2.3.1.jar
---
(0116755)
caristu   
2020-01-10 09:15   
https://gitlab.com/openbravo/product/openbravo/merge_requests/31 [^]