This is an automated email from the ASF dual-hosted git repository.
alexoree pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/juddi.git
The following commit(s) were added to refs/heads/master by this push:
new 4bfb64b site update
4bfb64b is described below
commit 4bfb64babdf5781e0e69cde9a98525f5eed3d380
Author: Alex O'Ree <alexo...@apache.org>
AuthorDate: Wed Jul 28 18:33:11 2021 -0400
site update
---
src/site/markdown/index.md | 2 ++
src/site/markdown/releases.md | 2 +-
src/site/markdown/security.md | 27 +++++++++++++++++++++++++++
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/src/site/markdown/index.md b/src/site/markdown/index.md
index 2df1573..927ae73 100644
--- a/src/site/markdown/index.md
+++ b/src/site/markdown/index.md
@@ -43,6 +43,8 @@ jUDDI (pronounced "Judy") is an open source Java
implementation of [OASIS](https
## News
+Jul 1, 2021, jUDDI Release 3.3.10
+
Aug 18, 2020, jUDDI Release 3.3.9
Mar 15, 2020, jUDDI Release 3.3.8
diff --git a/src/site/markdown/releases.md b/src/site/markdown/releases.md
index 494caf2..b3cfb2b 100644
--- a/src/site/markdown/releases.md
+++ b/src/site/markdown/releases.md
@@ -4,7 +4,7 @@ Title: Downloads and Releases
| Name
| Date
| Description |
| --- | --- | --- |
-| [3.3.9](http://www.apache.org/dyn/closer.cgi/juddi/juddi/3.3.9/) | Aug 18,
2020 | Stable 3.3.9 Release | |
+| [3.3.10](http://www.apache.org/dyn/closer.cgi/juddi/juddi/3.3.10/) | Jul 1,
2021 | Stable 3.3.10 Release | |
| [Older releases](http://archive.apache.org/dist/juddi/) |
| Archived Releases |
diff --git a/src/site/markdown/security.md b/src/site/markdown/security.md
index 59d5a37..8453a7e 100644
--- a/src/site/markdown/security.md
+++ b/src/site/markdown/security.md
@@ -2,6 +2,33 @@ Title: Security Advisories
## Security Advisories for Apache jUDDI
+### CVEID
[CVE-2021-37578](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578)
+
+VERSION: older than 3.3.10
+
+PROBLEMTYPE: Remote Code Execution
+
+REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578
+
+DESCRIPTION: Apache jUDDI uses several classes related to Java's Remote Method
Invocation (RMI) which (as an extension to UDDI) provides an alternate
transport for accessing UDDI services.
+
+RMI uses the default Java serialization mechanism to pass parameters in RMI
invocations. A remote attacker can send a malicious serialized object to the
above RMI entries. The objects get deserialized without any check on the
incoming data. In the worst case, it may let the attacker run arbitrary code
remotely.
+
+For both jUDDI web service applications and jUDDI clients, the usage of RMI is
disabled by default. Since this is an optional feature and an extension to the
UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI
related code was removed.
+
+Severity: Low
+
+Mitigation:
+
+jUDDI Clients, disable RMITransports (found in uddi.xml) and use alternate
transports such as HTTPS.
+jUDDI Server (juddiv3.war/WEB-INF/classes/juddiv3.xml), disable JNDI and RMI
settings in juddiv3.xml.
+The appropriate settings are located below in xpath style notation.
+
+ juddi/jndi/registration=false
+ juddi/rmi/registration=false
+
+If the settings are not present, then JNDI and RMI are already disabled. This
is the default setting.
+
### CVEID
[CVE-2018-1307](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1307)
VERSION: 3.2 through 3.3.4
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@juddi.apache.org
For additional commands, e-mail: commits-h...@juddi.apache.org
