[ https://issues.apache.org/jira/browse/TOMEE-4264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Richard Zowalla closed TOMEE-4264. ---------------------------------- Fix Version/s: (was: 10.0.0-M1) (was: 9.1.2) Resolution: Fixed > Update Apache Santuario Java (xmlsec) to mitigate CVE-2023-44483 > ---------------------------------------------------------------- > > Key: TOMEE-4264 > URL: https://issues.apache.org/jira/browse/TOMEE-4264 > Project: TomEE > Issue Type: Dependency upgrade > Affects Versions: 9.1.1 > Reporter: Nikhil > Assignee: Richard Zowalla > Priority: Minor > Labels: cve > Fix For: 10.0.0 > > > *CVE-2023-44483* > > All versions of Apache Santuario - XML Security for Java prior to 2.2.6, > 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue > where a private key may be disclosed in log files when generating an XML > Signature and logging with debug level is enabled. Users are recommended to > upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue. > > *Note:* In order to exploit this vulnerability, logging with debug level > should be enabled. > {*}Solution{*}: Fixed in versions: > * > [*2.2.6*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-2.2.6] > by > [this|https://github.com/apache/santuario-xml-security-java/commit/cd923d63ba2a02578b263258e749f3ed94389fd8] > commit. > * > [*2.3.4*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-2.3.4] > by > [this|https://github.com/apache/santuario-xml-security-java/commit/c85db6be7f49815253f59902b066086a7ad5ce9a] > commit. > * > [*3.0.3*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-3.0.3] > by > [this|https://github.com/apache/santuario-xml-security-java/commit/18999b9dced2c736f4a8d52d0c7d1b114351c77d] > commit. > * > [*4.0.0*|https://github.com/apache/santuario-xml-security-java/releases/tag/xmlsec-4.0.0] > by > [this|https://github.com/apache/santuario-xml-security-java/commit/c37a2aa5066405271e74f1c611a5a66fbf8c25d4] > commit. > > +*TomEE releases*+ > * TomEE 8.0.14 ships xmlsec-2.2.3.jar > * TomEE 8.0.15 ships xmlsec-2.3.2.jar > > Please review and do the needful -- This message was sent by Atlassian Jira (v8.20.10#820010)