[
https://issues.apache.org/jira/browse/XALANJ-2792?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Joshua Marquart updated XALANJ-2792:
------------------------------------
Attachment: xalanj-2792-20241213a.patch
> XALAN JAXP still vulnerable to CVE-2019-2981
> --------------------------------------------
>
> Key: XALANJ-2792
> URL: https://issues.apache.org/jira/browse/XALANJ-2792
> Project: XalanJ2
> Issue Type: Bug
> Security Level: No security risk; visible to anyone(Ordinary problems in
> Xalan projects. Anybody can view the issue.)
> Components: JAXP
> Affects Versions: 2.7.3
> Reporter: Joshua Marquart
> Priority: Minor
> Attachments: xalanj-2792-20241213a.patch
>
>
> Recent Sonatype Lifecycle scans of Xalan 2.7.3 (and Xalan servicemix 2.7.3_3)
> are being flagged as having LOW vulnerability CVE-2019-2981 due to improper
> error handling within JAXP classes.
> org.apache.xpath.compiler.Compiler will throw an unchecked StackOverflowError
> under certain conditions.
> Per the CVE summary, this has already been resolved by certain JRE releases
> of JAXP, however cursory review of the existing releases of the classes from
> Xalan show the compensating code was not applied to Xalan's embedded JAXP
> classes and therefore have the potential to throw a StackOverflowError.
>
> RedHat, for example, resolved it with their JRE per
> [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-2981] /
> [https://hg.openjdk.org/jdk8u/jdk8u/jaxp/rev/6f9c0c731ab7]
> OpenJDK resolved it here:
> [https://linux.oracle.com/errata/ELSA-2019-3128.html]
>
> *Description from CVE*
> Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE
> (component: JAXP). Supported versions that are affected are Java SE: 7u231,
> 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit
> vulnerability allows unauthenticated attacker with network access via
> multiple protocols to compromise Java SE, Java SE Embedded. Successful
> attacks of this vulnerability can result in unauthorized ability to cause a
> partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
> This vulnerability applies to Java deployments, typically in clients running
> sandboxed Java Web Start applications or sandboxed Java applets (in Java SE
> 8), that load and run untrusted code (e.g., code that comes from the
> internet) and rely on the Java sandbox for security. This vulnerability can
> also be exploited by using APIs in the specified Component, e.g., through a
> web service which supplies data to the APIs. CVSS 3.0 Base Score 3.7
> (Availability impacts). CVSS Vector:
> (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
> *Explanation*
> Certain components within OpenJDK versions 7, 8, etc. are vulnerable to
> improper handling of exceptions. Under some cases, an unauthenticated
> attacker may be able to exploit this vulnerability to trigger a partial
> Denial of Service (DoS).
> {_}Vulnerable File(s) and Function(s){_}:
> jdk8u/jaxp/org/apache/xpath/external/XPath.class
> jdk8u/jaxp/org/apache/xpath/external/compiler/Compiler.class
> jdk8u/jaxp/org/apache/xpath/external/axes/WalkerFactory.class
> jdk8u/jaxp/org/apache/xpath/external/axes/FilterExprWalker.class
> jdk7u/jaxp/org/apache/xpath/external/compiler/Compiler.class
> jdk7u/jaxp/org/apache/xpath/external/XPath.class
> jdk7u/jaxp/org/apache/xpath/external/axes/FilterExprWalker.class
> jdk7u/jaxp/org/apache/xpath/external/axes/WalkerFactory.class
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
For additional commands, e-mail: dev-h...@xalan.apache.org
