[jira] [Commented] (XERCESJ-1756) CVE-2017-10355

Arnout Engelen (Jira) Tue, 16 Jan 2024 01:55:07 -0800


    [ 
https://issues.apache.org/jira/browse/XERCESJ-1756?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17807157#comment-17807157
 ]


Arnout Engelen commented on XERCESJ-1756:
-----------------------------------------

Unfortunately [https://blogs.securiteam.com/index.php/archives/3271] is no 
longer up (and not available on archive.org), but the discussion in 
[https://github.com/jeremylong/DependencyCheck/issues/4614] suggests this may 
have to do with {{XMLEntityManager.setupCurrentEntity()}} not having a timeout. 
[https://github.com/OSSIndex/vulns/issues/328#issuecomment-1287175491] also 
mentions this.

[https://www.exploit-db.com/exploits/44057] describes two issues, one generic 
and one specific to Xerces-j.

[https://security.snyk.io/vuln/SNYK-JAVA-XERCES-31497] leads by describing the 
FTP problem, then confusingly continues with a generic unrelated description of 
ReDOS attacks. It claims xerces-j 2.11.0 is no longer affected.

TBH I'm somewhat sceptical of this whole issue - when processing untrusted 
input shouldn't people be disabling loading external entities anyway?

> CVE-2017-10355
> --------------
>
>                 Key: XERCESJ-1756
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1756
>             Project: Xerces2-J
>          Issue Type: Task
>    Affects Versions: 2.12.2
>            Reporter: Danny Trunk
>            Priority: Critical
>              Labels: security
>
> *CVE-2017-10355* (OSSINDEX)  
>  
> sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS) The software 
> contains multiple threads or executable segments that are waiting for each 
> other to release a necessary lock, resulting in deadlock.
> CWE-833 Deadlock
> CVSSv3:
>  * Base Score: MEDIUM (5.9)
>  * Vector: CVSS:/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
> References:
>  * OSSINDEX - [[CVE-2017-10355] CWE-833: 
> Deadlock|https://ossindex.sonatype.org/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1]
>  * OSSIndex - [https://blogs.securiteam.com/index.php/archives/3271]
>  
> Vulnerable Software & Versions (OSSINDEX):
>  * cpe:2.3:a:xerces:xercesImpl:2.12.2:*:*:*:*:*:*:*



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

[jira] [Commented] (XERCESJ-1756) CVE-2017-10355

Reply via email to