[
https://issues.apache.org/jira/browse/TOMEE-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492534#comment-17492534
]
Richard Zowalla commented on TOMEE-3838:
----------------------------------------
As an addition by [~jgallimore] via Slack:
{quote}Some further detail on that CVE.... here is the commit that fixed it:
https://github.com/apache/james-project/commit/55508d298247dbbebf230f77eacd0222d248dcba
- the class that is affected is:
https://github.com/apache/james-project/blob/master/mailbox/api/src/main/java/org/apache/james/mailbox/model/search/PrefixedRegex.java
A quick find . -name "*.jar" -exec jar tf "{}" \; | grep PrefixedRegex confirms
that we do not include this class in TomEE.{quote}
> TomEE Plume - CVE-2021-40110
> ----------------------------
>
> Key: TOMEE-3838
> URL: https://issues.apache.org/jira/browse/TOMEE-3838
> Project: TomEE
> Issue Type: Bug
> Components: TomEE Core Server
> Affects Versions: 8.0.9
> Reporter: AJIT GOPALAN
> Assignee: Richard Zowalla
> Priority: Blocker
>
> TomEE Plume 8.0.9 suffers from CVE-2021-40110
> This is a bug in Apache James, that manifests itself through the Geronimo
> Mail jar dependency in TomEE ({_}layer.tar: apache-tomee-8.0.9-plume.tar.gz:
> apache-tomee-8.0.9-plume.tar: geronimo-javamail_1.6_mail-1.0.1.jar (shaded:
> org.apache.james:apache-mime4j-core:0.8.1){_})
> CVE Summary -
> _"In Apache James, using Jazzer fuzzer, we identified that an IMAP user can
> craft IMAP LIST commands to orchestrate a Denial Of Service using a
> vulnerable Regular expression. This affected Apache James prior to 3.6.1 We
> recommend upgrading to Apache James 3.6.1 or higher , which enforce the use
> of RE2J regular expression engine to execute regex in linear time without
> back-tracking."_
> [https://nvd.nist.gov/vuln/detail/CVE-2021-40110#vulnCurrentDescriptionTitle]
--
This message was sent by Atlassian Jira
(v8.20.1#820001)