[
https://issues.apache.org/jira/browse/TOMEE-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492393#comment-17492393
]
Richard Zowalla commented on TOMEE-3838:
----------------------------------------
Hi [~AJIGOPAL]
We do not use the Apache James Mail server in the code base. Reading the CVE it
sounds like Apache James (Server) is vulnerable to the CVE mentioned above as
well as to
- https://nvd.nist.gov/vuln/detail/CVE-2021-38542
- https://nvd.nist.gov/vuln/detail/CVE-2021-40111
- https://nvd.nist.gov/vuln/detail/CVE-2021-40525
However, Geronimo Java Mail (1.0.1) uses apache-mime4j-core-0.8.6.jar as shaded
dependency. Therefore, I think, that this might be a false positive. Can you
re-check? Please see the different utility libraries released under Apache
James: https://james.apache.org/download.cgi
Gruß
Richard
> TomEE Plume - CVE-2021-40110
> ----------------------------
>
> Key: TOMEE-3838
> URL: https://issues.apache.org/jira/browse/TOMEE-3838
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 8.0.9
> Reporter: AJIT GOPALAN
> Priority: Blocker
>
> TomEE Plume 8.0.9 suffers from CVE-2021-40110
> This is a bug in Apache James, that manifests itself through the Geronimo
> Mail jar dependency in TomEE ({_}layer.tar: apache-tomee-8.0.9-plume.tar.gz:
> apache-tomee-8.0.9-plume.tar: geronimo-javamail_1.6_mail-1.0.1.jar (shaded:
> org.apache.james:apache-mime4j-core:0.8.1){_})
> CVE Summary -
> _"In Apache James, using Jazzer fuzzer, we identified that an IMAP user can
> craft IMAP LIST commands to orchestrate a Denial Of Service using a
> vulnerable Regular expression. This affected Apache James prior to 3.6.1 We
> recommend upgrading to Apache James 3.6.1 or higher , which enforce the use
> of RE2J regular expression engine to execute regex in linear time without
> back-tracking."_
> [https://nvd.nist.gov/vuln/detail/CVE-2021-40110#vulnCurrentDescriptionTitle]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)