[
https://issues.apache.org/jira/browse/OFBIZ-7136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-7136.
----------------------------------
Resolution: Done
Fix Version/s: 15.12.01
> Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability
> --------------------------------------------------------
>
> Key: OFBIZ-7136
> URL: https://issues.apache.org/jira/browse/OFBIZ-7136
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: 15.12.01
>
>
> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
> Severity: Important
> Versions Affected:
> Apache PDFBox 1.8.0 to 1.8.11
> Apache PDFBox 2.0.0
> Earlier, unsupported Apache PDFBox versions may be affected as well
> Description:
> Apache PDFBox parses different XML data within PDF files such as XMP and the
> initialization of the XML parsers did not protect against XML External Entity
> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead
> to the disclosure of confidential data, denial of service, server side
> request forgery, port scanning from the perspective of the machine where the
> parser is located, and other system impacts."
> Mitigation:
> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
> Credit:
> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi
> Kim, Mesut Timur and Microsoft Vulnerability Research.
> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
