[ 
https://issues.apache.org/jira/browse/TOMEE-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492393#comment-17492393
 ] 

Richard Zowalla commented on TOMEE-3838:
----------------------------------------

Hi [~AJIGOPAL]

We do not use the Apache James Mail server in the code base. Reading the CVE it 
sounds like Apache James (Server) is vulnerable to the CVE mentioned above as 
well as to

- https://nvd.nist.gov/vuln/detail/CVE-2021-38542
- https://nvd.nist.gov/vuln/detail/CVE-2021-40111
- https://nvd.nist.gov/vuln/detail/CVE-2021-40525

However, Geronimo Java Mail (1.0.1) uses apache-mime4j-core-0.8.6.jar as shaded 
dependency. Therefore, I think, that this might be a false positive. Can you 
re-check? Please see the different utility libraries released under Apache 
James: https://james.apache.org/download.cgi

Gruß
Richard


> TomEE Plume - CVE-2021-40110
> ----------------------------
>
>                 Key: TOMEE-3838
>                 URL: https://issues.apache.org/jira/browse/TOMEE-3838
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.9
>            Reporter: AJIT GOPALAN
>            Priority: Blocker
>
> TomEE Plume 8.0.9 suffers from CVE-2021-40110
> This is a bug in Apache James, that manifests itself through the Geronimo 
> Mail jar dependency in TomEE ({_}layer.tar: apache-tomee-8.0.9-plume.tar.gz: 
> apache-tomee-8.0.9-plume.tar: geronimo-javamail_1.6_mail-1.0.1.jar (shaded: 
> org.apache.james:apache-mime4j-core:0.8.1){_})
> CVE Summary - 
> _"In Apache James, using Jazzer fuzzer, we identified that an IMAP user can 
> craft IMAP LIST commands to orchestrate a Denial Of Service using a 
> vulnerable Regular expression. This affected Apache James prior to 3.6.1 We 
> recommend upgrading to Apache James 3.6.1 or higher , which enforce the use 
> of RE2J regular expression engine to execute regex in linear time without 
> back-tracking."_
> [https://nvd.nist.gov/vuln/detail/CVE-2021-40110#vulnCurrentDescriptionTitle]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to