[jira] [Resolved] (TOMEE-4263) Update Apache Santuario Java (xmlsec) to mitigate CVE-2023-44483

Thu, 26 Oct 2023 09:28:07 -0700 


     [ 
https://issues.apache.org/jira/browse/TOMEE-4263?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jonathan S. Fisher resolved TOMEE-4263.
---------------------------------------
    Resolution: Fixed

> Update Apache Santuario Java (xmlsec) to mitigate CVE-2023-44483
> ----------------------------------------------------------------
>
>                 Key: TOMEE-4263
>                 URL: https://issues.apache.org/jira/browse/TOMEE-4263
>             Project: TomEE
>          Issue Type: Dependency upgrade
>    Affects Versions: 8.0.14, 8.0.15
>            Reporter: Nikhil
>            Assignee: Jonathan S. Fisher
>            Priority: Major
>             Fix For: 8.0.16
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> *CVE-2023-44483*
>  
> All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 
> 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue 
> where a private key may be disclosed in log files when generating an XML 
> Signature and logging with debug level is enabled. Users are recommended to 
> upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
>  
> *Note:* In order to exploit this vulnerability, logging with debug level 
> should be enabled.
> {*}Solution{*}: Fixed in versions:
>  * 
> [*2.2.6*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-2.2.6]
>  by 
> [this|https://github.com/apache/santuario-xml-security-java/commit/cd923d63ba2a02578b263258e749f3ed94389fd8]
>  commit.
>  * 
> [*2.3.4*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-2.3.4]
>  by 
> [this|https://github.com/apache/santuario-xml-security-java/commit/c85db6be7f49815253f59902b066086a7ad5ce9a]
>  commit.
>  * 
> [*3.0.3*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-3.0.3]
>  by 
> [this|https://github.com/apache/santuario-xml-security-java/commit/18999b9dced2c736f4a8d52d0c7d1b114351c77d]
>  commit.
>  * 
> [*4.0.0*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-4.0.0]
>  by 
> [this|https://github.com/apache/santuario-xml-security-java/commit/c37a2aa5066405271e74f1c611a5a66fbf8c25d4]
>  commit.
>  
> +*TomEE releases*+
>  * TomEE 8.0.14 ships xmlsec-2.2.3.jar
>  * TomEE 8.0.15 ships xmlsec-2.3.2.jar
>  
> Please review and do the needful



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to