TopBraid Enterprise Data Governance (EDG) Security
TopQuadrant Vulnerability Management Policies
This page describes TopQuadrant’s policies for addressing potential vulnerabilities in our products.
| Open Source Software | TopQuadrant maintains a current list of open source software used in EDG available here. TopQuadrant updates these libraries regularly to ensure the most current security patches are applied. |
| Scans |
TopQuadrant code base is continually monitored for known vulnerabilities. Prior to releases, a complete scan is done as well. Please contact TopQuadrant support for copies of this report. Customers typically run independent audits of the software for compliance specific to their organization as well, such as FISMA. TopQuadrant consistently successfully passes these audits. |
| Response | All vulnerabilities are analyzed for impact and severity. If a vulnerability is found to be critical in the context of normal operation of the software, it will be remedied with a patch or new release or mitigation controls. Non-critical vulnerabilities will be remedied in the following release. |
| Notification | Customers will be notified through TopQuadrant support if critical vulnerabilities are found that will have an impact on the software and its use by customers. |
| Reporting | Customers are encouraged to contact TopQuadrant support to report any security concerns or questions regarding TopQuadrant software. |
The following table shows the CVEs addressed with TopQuadrant’s latest release. You can find more information in the release notes and corresponding change logs.
| Release | CVE | Impact |
| 6.4.0 | CVE-2020-7662: websocket-extensions | low |
| 6.4.0 | CVE-2019-0205, CVE-2019-0210: Apache Thrift (Apache Jena) | low |
| 6.4.1 | CVE-2020-13822: elliptic | low |
| 6.4.1 | CVE-2020-8203: lodash | low |
| 6.4.2 | CVE-2019-10086, CVE2013-0248, CVE-2014-0050, CVE-2016-1000031, CVE-2016-3092, and CVE-2012- 0881 |
low |
| 6.4.4 | Removed debugging utility with additional abilities | high |
| 7.0.0 | CVE-2018-10237, CVE-2019-12400, CVE-2020-2773, CVE-2020-8908, CVE-2020-25649, CVE-2019-10744, CVE-2020-8203, CVE-2021-23337, CVE-2015-9251 | low |
| 7.0.1 | Removed debugging utility with additional abilities | high |
| 7.1.0 | CVE-2019-13990 Quartz | low |
| 7.0.4 |
CVE-2021-45046 Log4j CVE-2021-44228 Log4j |
low critical |
| 7.0.5 | CVE-2021-45105 Log4j | low |
| 7.1.1 |
CVE-2021-45046 Log4j CVE-2021-44228 Log4j
|
low critical |
| 7.1.2 | CVE-2021-45105 Log4j | low |
| 7.1.3 | CVE-2021-44832 Log4j 2.17 | low |
| 7.2.0 |
CVE-2021-37714 CVE-2020-26870 CVE-2021-3749 CVE-2020-28168 CVE-2021-42340
|
low |
.