{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:5617066a-9484-46af-be5e-c3c30fd11274", "version": 1, "metadata": { "timestamp": "2025-01-16T00:00:00Z", "authors": [ { "name": "Connext Security Team", "email": "security@rti.com" } ], "component": { "type": "framework", "bom-ref": "Connext Cert", "supplier": { "name": "Real-Time Innovations, Inc. (RTI)", "url": [ "https://www.rti.com" ] }, "name": "Connext Cert" }, "properties": [ { "name": "last_updated", "value": "2026-04-28T09:59:50Z" } ] }, "vulnerabilities": [ { "bom-ref": "CVE-2024-47554", "id": "CVE-2024-47554", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47554" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2024/47xxx/CVE-2024-47554.json" }, "score": 4.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L" } ], "cwes": [ 400 ], "description": "Uncontrolled Resource Consumption vulnerability in Apache Commons IO.\n\nThe org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.\n\n\nThis issue affects Apache Commons IO: from 2.0 before 2.14.0.\n\nUsers are recommended to upgrade to version 2.14.0 or later, which fixes the issue.", "published": "2024-10-03T12:15:02Z", "updated": "2024-12-04T15:15:11Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "Connext does not use the impacted component.", "firstIssued": "2024-11-25T12:06:41.884000Z", "lastUpdated": "2024-11-27T15:37:49.870000Z" }, "affects": [ { "ref": "Connext Cert" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-277" }, { "name": "xray_id", "value": "XRAY-645644" } ] }, { "bom-ref": "CVE-2025-48924", "id": "CVE-2025-48924", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2025/48xxx/CVE-2025-48924.json" }, "score": 5.3, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 674 ], "description": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.", "published": "2025-07-11T15:15:24Z", "updated": "2025-07-28T13:45:38Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "No RTI Connext Micro and RTI Connext Cert products invoke the impacted function ClassUtils.getClass, either within the RTI tools' direct source code or in any plugin dependencies.", "firstIssued": "2025-08-07T10:51:16Z", "lastUpdated": "2025-08-07T10:51:16Z" }, "affects": [ { "ref": "Connext Cert" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-378" }, { "name": "xray_id", "value": "XRAY-710140" } ] }, { "bom-ref": "CVE-2025-68161", "id": "CVE-2025-68161", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.3, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2025-68161&vector=AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N&version=3.1" }, "score": 4.8, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "cwes": [ 295, 297 ], "description": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n * The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.", "published": "2025-12-18T21:15:57Z", "updated": "2026-01-20T01:15:55Z", "analysis": { "state": "not_affected", "justification": "protected_at_runtime", "detail": "We are not affected because Codegen doesn't use SocketAppender. Additionally, Codegen overwrites the default LoggerConfig after loading the context; therefore, even if a different configuration file is tried to be loaded, it will be ignored.", "firstIssued": "2026-01-22T11:37:48Z", "lastUpdated": "2026-01-22T11:37:48Z" }, "affects": [ { "ref": "Connext Cert" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-478" }, { "name": "xray_id", "value": "XRAY-905476" } ] }, { "bom-ref": "CVE-2026-34480", "id": "CVE-2026-34480", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34480" }, "ratings": [ { "source": { "name": "security@apache.org" }, "score": 6.9, "severity": "medium", "method": "CVSSv4", "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-34480&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N&version=3.1" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" } ], "cwes": [ 116 ], "description": "Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters.\n\nThe impact depends on the StAX implementation in use:\n\n * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records.\n * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger.\n\n\nUsers are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.", "published": "2026-04-10T16:16:31Z", "updated": "2026-04-24T18:21:54Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "We are using an affected version log4j-core 2.25.3 so the vulnerable class XmlLayout is present on the classpath. The exploit requires XmlLayout to be active in an appender \u2014 and it never is. There is no configuration path, no programmatic path (We use PatternLayout, not XmlLayout)", "firstIssued": "2026-04-16T23:21:47Z", "lastUpdated": "2026-04-28T09:59:50Z" }, "affects": [ { "ref": "Connext Cert" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-562" }, { "name": "xray_id", "value": "XRAY-963652" } ] } ] }