Vulnerability Report till FNP-11.19.4 (Quick Referance)

Yes

	Vulnerability ID	Affected Module	FNP Component	JIRA (If any, Internal For Revenera)	Fixed in Release	Comments	CVSS2

1	CVE-2020-11984	apache	lmadmin.exe	FNP-23859	FNP v11.17.2
2	CVE-2020-9490	apache	lmadmin.exe	FNP-23860	FNP v11.17.2
3	CVE-2020-11993	apache	lmadmin.exe	FNP-23861	FNP v11.17.2
4	CVE-2014-3596	axis	axis.jar	FNP-24232		Under assesment with Engineering	5.8
5	CVE-2012-5784	axis	axis.jar	FNP-24232		Under assesment with Engineering	5.8
6	CVE-2019-0227	axis	axis.jar	FNP-24232		Under assesment with Engineering	5.4
7	CVE-2018-8032	axis	axis.jar	FNP-24232		Under assesment with Engineering	4.3
8	CVE-2018-20843	expat	haspsrm_win64.dll	FNP-22651	FNP v11.17.2
9	CVE-2019-15903	expat	haspsrm_win64.dll	FNP-22651	FNP v11.17.2
10	CVE-2019-7659	gsoap	lmadmin.exe	FNP-20529	Not an Issue with FNP	The vulnerability will be introduced if gsoap is build with WITH_COOKIES flag enabled. In FNP, gsoap is built without WITH_COOKIES. Hence, mentioned vulnerability will not impact FnpCommsSoap.dll or FNP.
11	CVE-2007-6059	javamail	mail.jar	FNP-17545		Javamail Vulnerability - Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products.
12	CVE-2020-24977	libxml2	lmadmin.exe	FNP-23595		Under assesment with Engineering	6.4
13	CVE-2019-1563	openssl	libcrypto-1_1-x64.dll	No Issues Reported Yet	I see that OpenSSL version in FNP-11.17.1 is 1.1.0k. So, this shouldn't have been reported in v11.17.1 lmadmin	Fixed in OpenSSL 1.0.2t (Affected 1.0.2-1.0.2s)	4.3
14	CVE-2020-14155	pcre	lmadmin.exe	FNP-23271	FNP v11.17.2
15	CVE-2018-1311	xerces-c++	xerces-c_3_2.dll	FNP-22313	No Fix Needed for FNP	The Vulnerability reported has not been resolved any of the published versions of xerces, thus we can not update it to some version with resolved vulnerability, but this vulnerability can be mitigated by disabling the DTD processing while using the parser from xerces. On analysis of lmadmin, we figured out that DTD processing is already been disabled using the DOM parser from long time. Thus lmadmin is not vulnerable to this vulnerability "CVE-2018-1311" and no fix is required for the same.
16	CVE-2016-9840	zlib	hasp_rt.exe	FNP-19942 && FNP-17545	FNP v11.17.2
17	CVE-2016-9841	zlib	hasp_rt.exe	FNP-19942 && FNP-17545	FNP v11.17.2
18	CVE-2016-9842	zlib	hasp_rt.exe	FNP-19942 && FNP-17545	FNP v11.17.2
19	CVE-2016-9843	zlib	hasp_rt.exe	FNP-19942 && FNP-17545	FNP v11.17.2
20	CVE-2020-7595 CVE-2019-20388 CVE-2020-24977	libxml2	lmadmin	FNP-23595	FNP v11.18.1	Multiple vulnerabilities were found in libxml2 v2.9.10, which is used by lmadmin. Latest available patches were applied to libxml2 to resolve the vulnerabilities CVE-2020-7595, CVE-2019-20388 and CVE-2020-24977
21	CVE-2021-3450	openssl	lmadmin	FNP-25063	FNP v11.18.1	The CVE-2021-3450 vulnerability is seen with openssl-1.1.1i version in 11.18.1.0 release. It will be resolved in successive FNP release.
22	CVE-1999-0236 CVE-1999-1412 CVE-2007-0086	apache	lmgrd,lmadmin and unitily	FNP-25244	FNP v11.18.2	The vulnerabilities CVE-1999-0236, CVE-1999-1412, and CVE-2007-0086, which were observed through Code Insight Scan has been resolved.	10.0
23	CVE-2022-40303		libxml2	FNP-27980 FNP-27932	FNP v11.19.4	The vulnerabilities CVE-2022-40303 and CVE-2022-40304 are fixed by upgrading the libxml2 from version 2.9.14 to version 2.10.3.

jbforster · ‎Nov 12, 2020

Now, that saved my day!!!! Thanks alot.