Hello to the team,
our IT noticed, after a routine checking of installed software components on the machines in our company, that both KNIME 4.6.4 (the version we are working with) and the Python Integration (Labs) (4.6.5 v202301252007) use a version of OpenSSL that contains a known vulnerability. They are very keen on fixing any such occurences in our system, and would like to know in which KNIME version and Python Integration version the following vulnerability is fixed:
Threat Encyclopedia | FortiGuard
CVE - CVE-2022-4203 (mitre.org)
Thank you for any information you can provide, so we know if there is a current version that fixes this.
Best regads,
Jan Schuppius
Hi Jan,
could you double-check whether this is an OS library? It may be possible to update that independently of KNIME (e.g. on Ubuntu with apt update/upgrade).
Kind regards
Marvin
Good morning Marvin,
maybe it helps if I supply some additional details. I do NOT think this is an operating system library, as the files that out scanner found are here (this is a Windows machine we are talking about):
C:\PROGRAM FILES\KNIME\PLUGINS\ORG.KNIME.PYTHONSCRIPTING.CHANNEL.V1.BIN.WIN32.X86_64_4.6.0.V202207221021\ENV\LIBRARY\BIN
C:\PROGRAM FILES\KNIME\BUNDLING\ROOT\PKGS\OPENSSL-1.1.1Q-H8FFE710_0\LIBRARY\BIN
These files came with the KNIME and extension installations respectively.
Best regards,
Jan
Hi Jan,
thanks for following up. I missed the fact that our Python integration brings its own OpenSSL libraries along. Sorry for that.
We’ve updated the OpenSSL libraries in version 4.7.1.
Kind regards
Marvin