Nuance Development team analyzed customer's concern related to security vulnerabilities on Couchbase and provided the following feedback:
In short, below are some facts which together prove that Nuance already use a Couchbase version which has the fix for CVE-2013-7239:
- Equitrac uses Couchbase v4.6.1-3652, which was released in March 2017.
- The Memcached issue Customer reported was fixed in Memcached codebase in December 2013, with Memcached v1.4.17.
- Couchbase uses its own fork of Memcached, which differs from the original Memcached code base.
- The original Memcached fix can be found in the Couchbase version.
- This fix is in there since at least September 29, 2015.
In Summary, the original problem was fixed in 2013, and Nuance can prove that the fix is in the Couchbase repository since at least 2015, and Equitrac uses a build of Couchbase from 2017.
For additional details please refer to the attached document.