[jira] [Commented] (XERCESJ-1722) Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution

Fri, 19 Jun 2020 23:45:48 -0700 


    [ 
https://issues.apache.org/jira/browse/XERCESJ-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140981#comment-17140981
 ] 

Mukul Gandhi commented on XERCESJ-1722:
---------------------------------------

for the moment, I might suggest following,

Use serializer.jar shipped with Xalan-J 2.7.2 when using Xerces-J 2.12.1. For 
that to work, I think the JRE version that needs to be used by Xerces-J 
application is 1.7.x (which was used to build Xalan-J 2.7.2).

Also, as of today the link [https://nvd.nist.gov/vuln/detail/CVE-2014-0107] 
mentions following,

"This vulnerability has been modified since it was last analyzed by the NVD. It 
is awaiting reanalysis which may result in further changes to the information 
provided".

The above, I think shall imply, that the information provided within the 
mentioned CVE is not 100% reliable to act on it.

> Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
> -----------------------------------------------------------------------
>
>                 Key: XERCESJ-1722
>                 URL: https://issues.apache.org/jira/browse/XERCESJ-1722
>             Project: Xerces2-J
>          Issue Type: Bug
>          Components: Serialization
>    Affects Versions: 2.12.1
>            Reporter: Olivier Jaquemet
>            Priority: Major
>
> The following jars are bundled in the Xerces-J 2.12.1 binary distribution : 
> {{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1 
> resolver.jar}}
> {{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391 
> serializer.jar*}}
> {{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad 
> xml-apis.jar}}
> Extracting information from the MANIFEST : 
>  * resolver.jar / Implementation-Version: 1.2
>  * *serializer.jar / Implementation-Version: 2.7.1*
>  * xml-apis.jar / Implementation-Version: 1.4.01
> Problem :
> If it IS the xalan serializer 2.7.1 (which I could not confirmed from the 
> hash), this version is vulnerable to CVE-2014-0107 :
> [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
> Xalan 2.7.2 was released in April 2014 and should probably be included to 
> prevent uninformed user to rely the whole Xerces-J distribution. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org

Reply via email to