Dear Members,
We are using Pentaho CE Version 9.4. We found that this version of Pentaho is using lower version of Spring ,which has quite a few critical Vulnerabilities. We have scan the machine / image with Snyk tool.
Since this JAR files are internal to Pentaho as a Product, We are not sure how to tackle them from upgrade point of view?
Couple of things , I need help.
- Should we upgrade their version by our own? Would it impact the overall product?
- Should we downgrade our version to 9.3 since it contains patches? Does version 9.3 cover the fix of Spring Vulnerabilities?
- What is the plan to fix these critical Vulnerabilities in version 9.4?
Hoping for the answers to guide me in right direction.
Thanks, Niraj Salot.
------------------------------
Niraj Salot
Others
Scan-IT
------------------------------