If an Infogix product has a vulnerability, it will be treated as a product functionality issue and covered as part of our standard support policy, including the support policy's SLAs. Severity of vulnerabilities is defined by Common Vulnerability Scoring System (CVSS).
Resolutions via patches versus inclusion in future updates/versions is dependent on the complexity of the updates required. Infogix will make commercially reasonable best efforts to include critical vulnerabilities as patches. Lower severity vulnerabilities will be included in future product updates and versions.
Note that a vulnerability within a third-party dependency may need to be patched by third-party vendors prior to inclusion within Infogix products.
Example Scenarios
A new version of the Apache POI library is available with a critical vulnerability fix. A small-scale library update can be updated via a product patch.
A new version of the Jackson library corrects a vulnerability. The new version will need to be included within Hadoop prior to inclusion within Data360 DQ+. This is due to to the fact that JAR files within Data360 DQ+ need to match versions of the JAR files within Hadoop. After it is addressed in Hadoop, it can be resolved via a product patch.
A critical vulnerability is found in Adobe Flash after Flash ends support in December 2020. Perceive 9.2 uses Adobe Flash, and Perceive 9.2 is in support by Infogix until March 31, 2021. If a vulnerability is found while Adobe Flash is out of support and Perceive 9.2 is in support, the resolution would be to upgrade to Perceive 9.3, which is already available and does not use Adobe Flash. A patch for this scenario isn't possible due to the extensive use of Adobe Flash in Perceive 9.2.
Comments
0 comments
Please sign in to leave a comment.