This document lists known security issues that might be relevant for TranslationStudio.

Wherever possible, recommendations are discussed and steps suggested to address any such issue.

This page will be updated whenever we learn about a relevant issue.

1. General Recommendations

The following recommendations are general tips to minimise the thread layer right from the start.

  • Stay up-to-date with the latest JDK version compatible with TranslationStudio

  • Follow the Principle of least privilege when operating TranslationStudio. You can update the start script to change the user/group accordingly.

  • Only grant access to external URLs where needed. Usually, TranslationStudio has a very specifig (short) list of addresses it needs to contact (email server, translation memory system provider (if applicable) or the CMS).

2. Common Vulnerabilities and Exposures (CVE)

ISSUE STATUS DESCRIPTION

CVE-2022-22965
CVE-2022-22963

Not impacted (01.04.2022)

TranslationStudio is not affected by these vulnerabilities (Remote code execution in Spring Framework, Spring Cloud Function)

CVE-2021-44228 - Apache Log4j

Not impacted (13.12.2021)

TranslationStudio is not directly affected, because it does not use Log4J. Its dependencies also do not add the library to the classpath. Please follow the general advice related to this CVE.

You can directly deactivate the behaviour causing the issue by adding

-Dlog4j2.formatMsgNoLookups=true to ./conf/jvm.conf