On 2025/02/10 20:45:00 "Joshua Marquart (Jira)" wrote:
>
> [
https://issues.apache.org/jira/browse/XALANJ-2792?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17925733#comment-17925733
]
>
> Joshua Marquart commented on XALANJ-2792:
> -----------------------------------------
>
> Was told in SM-2880 to poke the Xalan bugs in Jira that I'd like to see
fixed, so consider this poked.
>
> > XALAN JAXP still vulnerable to CVE-2019-2981
> > --------------------------------------------
> >
> > Key: XALANJ-2792
> > URL: https://issues.apache.org/jira/browse/XALANJ-2792
> > Project: XalanJ2
> > Issue Type: Bug
> > Security Level: No security risk; visible to anyone(Ordinary
problems in Xalan projects. Anybody can view the issue.)
> > Components: JAXP
> > Affects Versions: 2.7.1, 2.7.2, 2.7.3
> > Reporter: Joshua Marquart
> > Priority: Minor
> > Attachments: xalanj-2792-20241213a.patch
> >
> >
> > Recent Sonatype Lifecycle scans of Xalan 2.7.3 (and Xalan servicemix
2.7.3_3) are being flagged as having LOW vulnerability CVE-2019-2981 due to
improper error handling within JAXP classes.
> > org.apache.xpath.compiler.Compiler will throw an unchecked
StackOverflowError under certain conditions.
> > Per the CVE summary, this has already been resolved by certain JRE
releases of JAXP, however cursory review of the existing releases of the
classes from Xalan show the compensating code was not applied to Xalan's
embedded JAXP classes and therefore have the potential to throw a
StackOverflowError.
> >
> > RedHat, for example, resolved it with their JRE per [
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-2981] / [
https://hg.openjdk.org/jdk8u/jdk8u/jaxp/rev/6f9c0c731ab7]
> > OpenJDK resolved it here: [
https://linux.oracle.com/errata/ELSA-2019-3128.html]
> >
> > *Description from CVE*
> > Vulnerability in the Java SE, Java SE Embedded product of Oracle Java
SE (component: JAXP). Supported versions that are affected are Java SE:
7u231, 8u221, 11.0.4 and 13; Java SE Embedded: 8u221. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via
multiple protocols to compromise Java SE, Java SE Embedded. Successful
attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note:
This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets (in
Java SE 8), that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This vulnerability
can also be exploited by using APIs in the specified Component, e.g.,
through a web service which supplies data to the APIs. CVSS 3.0 Base Score
3.7 (Availability impacts). CVSS Vector:
(CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L).
> > *Explanation*
> > Certain components within OpenJDK versions 7, 8, etc. are vulnerable to
improper handling of exceptions. Under some cases, an unauthenticated
attacker may be able to exploit this vulnerability to trigger a partial
Denial of Service (DoS).
> > {_}Vulnerable File(s) and Function(s){_}:
> > jdk8u/jaxp/org/apache/xpath/external/XPath.class
> > jdk8u/jaxp/org/apache/xpath/external/compiler/Compiler.class
> > jdk8u/jaxp/org/apache/xpath/external/axes/WalkerFactory.class
> > jdk8u/jaxp/org/apache/xpath/external/axes/FilterExprWalker.class
> > jdk7u/jaxp/org/apache/xpath/external/compiler/Compiler.class
> > jdk7u/jaxp/org/apache/xpath/external/XPath.class
> > jdk7u/jaxp/org/apache/xpath/external/axes/FilterExprWalker.class
> > jdk7u/jaxp/org/apache/xpath/external/axes/WalkerFactory.class
>
>
>
> --
> This message was sent by Atlassian Jira
> (v8.20.10#820010)
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@xalan.apache.org
> For additional commands, e-mail: dev-h...@xalan.apache.org
>
>
