Often various third party Java libraries will have security issues flagged that are fixed in later versions. Sometimes this requires major version updates, minor version updates, or just patch version updates. SDL Web/SDL Tridion have various third party JAR files that are shipped with them that may be vulnerable. For SDL Web 8.5, the reference is here: https://docs.sdl.com/792152/422955/sdl-web-8-5/content-delivery-third-party-jar-file-reference SDL Web 8.5 is end of life as of December 31st, 2020. The process to update libraries via hotfixes is not applicable to this version. For SDL Tridion 2013 SP1, the reference is here: https://docs.sdl.com/792475/512506/sdl-tridion-2013-sp1/content-delivery-third-party-jar-file-reference 2013 SP1 is end of life as of December 31st, 2019. The process to update libraries via hotfixes is not applicable to this version. For SDL Tridion Sites 9.0, the reference is here: https://docs.sdl.com/792149/668974/sdl-tridion-sites-9/content-delivery-third-party-jar-file-reference For SDL Tridion Sites 9.1, the reference is here: https://docs.sdl.com/783502/693215/sdl-tridion-sites-9-1/content-delivery-third-party-jar-file-reference For SDL Tridion Sites 9.5, there reference is here: https://docs.sdl.com/816112/769577/sdl-tridion-sites-9-5/content-delivery-third-party-jar-file-reference |
Some updates for the libraries can be done without hotfixes from SDL. So patch version updates, i.e. Spring 4.3.3 to Spring 4.3.15, can be applied to Content Delivery roles or services from the Java repository available as as open source. Minor version updates or major version updates though should have Support tickets logged with SDL to determine the viability of applying such library updates, if a hotfix is required or even possible due to changes in dependencies and/or interfaces, or if the specific vulnerability is even applicable to the SDL application. |
Security related fixes are a part of third party JAR files used by the SDL Web/SDL Tridion Content Delivery stack in the versions that are shipped. |