CVE-2022-32151 and CVE-2022-32158 in Version 1.11.8

[beardo-sid]

We are currently using version 1.11.8 of the Splunk Java Logging Library and have identified two critical vulnerabilities: CVE-2022-32151 and CVE-2022-32158.
Could you please provide if there is an updated version that addresses these issues or the timeline for the fix for this?

[Subrhamanya]

@tdhellmann we can see there are too many CVEs getting flagged for this jar in dependency check report.

CVEs:

CVE-2011-4644,CWE-287
CVE-2013-6771,CWE-22
CVE-2013-6772,CWE-1021
CVE-2013-6870,CWE-79
CVE-2013-7394,CWE-94
CVE-2014-2578,CWE-79
CVE-2014-3147,CWE-79
CVE-2016-4857,CWE-601
CVE-2016-4858,CWE-79
CVE-2016-4859,CWE-601
CVE-2017-5607,CWE-200
CVE-2017-5880,CWE-20
CVE-2018-11409,CWE-200
CVE-2018-7427,CWE-79
CVE-2018-7429,CWE-20
CVE-2018-7431,CWE-22
CVE-2018-7432,CWE-20
CVE-2019-5727,CWE-79
CVE-2021-3422,CWE-125,CWE-20
CVE-2021-42743,CWE-427
CVE-2022-26070,CWE-200,CWE-209
CVE-2022-32151,CWE-295
CVE-2022-32152,CWE-295
CVE-2022-32153,CWE-295,CWE-297
CVE-2022-32154,CWE-20,CWE-77
CVE-2022-32155,CWE-732
CVE-2022-32156,CWE-295
CVE-2022-32157,CWE-306
CVE-2022-32158,CWE-284
CVE-2023-40598,CWE-306,CWE-77

We believe these are all FP for this project. Can we get the confirmation so that we can ask dependency check team to get it suppressed?

[tdhellmann]

@Subrhamanya thanks for reaching out. While I'm not on this project anymore (and haven't been for several years), I'm reporting this internally to try to get you an answer.

[Subrhamanya]

Sure thanks.

[Subrhamanya]

Any updates @tdhellmann?? If possible, can you please pull whoever is working on it?? It's like our release is getting struck due to this from past a couple of days... and it's a bit critical for us...

cc: @fantavlik