[
https://issues.apache.org/jira/browse/XERCESJ-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17140981#comment-17140981
]
Mukul Gandhi edited comment on XERCESJ-1722 at 6/20/20, 6:57 AM:
-----------------------------------------------------------------
for the moment, I might suggest following,
Use serializer.jar shipped with Xalan-J 2.7.2 when using Xerces-J 2.12.1. For
that to work, I think the JRE version that needs to be used by Xerces-J
application is 1.7.x+ (java 1.7.x was used to build Xalan-J 2.7.2).
Also, as of today the link [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
mentions following,
"This vulnerability has been modified since it was last analyzed by the NVD. It
is awaiting reanalysis which may result in further changes to the information
provided".
The above, I think shall imply, that the information provided within the
mentioned CVE is not 100% reliable to act on it.
was (Author: mukul_gandhi):
for the moment, I might suggest following,
Use serializer.jar shipped with Xalan-J 2.7.2 when using Xerces-J 2.12.1. For
that to work, I think the JRE version that needs to be used by Xerces-J
application is 1.7.x (which was used to build Xalan-J 2.7.2).
Also, as of today the link [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
mentions following,
"This vulnerability has been modified since it was last analyzed by the NVD. It
is awaiting reanalysis which may result in further changes to the information
provided".
The above, I think shall imply, that the information provided within the
mentioned CVE is not 100% reliable to act on it.
> Vunerable Serializer 2.7.1 bundled in Xerces 2.12.1 binary distribution
> -----------------------------------------------------------------------
>
> Key: XERCESJ-1722
> URL: https://issues.apache.org/jira/browse/XERCESJ-1722
> Project: Xerces2-J
> Issue Type: Bug
> Components: Serialization
> Affects Versions: 2.12.1
> Reporter: Olivier Jaquemet
> Priority: Major
>
> The following jars are bundled in the Xerces-J 2.12.1 binary distribution :
> {{47dcde8986019314ef78ae7280a94973a21d2ed95075a40a000b42da956429e1
> resolver.jar}}
> {{ *1456a09a4c710804c7cb6c0897cf323ae168d0c07ed12ca389f81f572f6d4391
> serializer.jar*}}
> {{ a840968176645684bb01aed376e067ab39614885f9eee44abe35a5f20ebe7fad
> xml-apis.jar}}
> Extracting information from the MANIFEST :
> * resolver.jar / Implementation-Version: 1.2
> * *serializer.jar / Implementation-Version: 2.7.1*
> * xml-apis.jar / Implementation-Version: 1.4.01
> Problem :
> If it IS the xalan serializer 2.7.1 (which I could not confirmed from the
> hash), this version is vulnerable to CVE-2014-0107 :
> [https://nvd.nist.gov/vuln/detail/CVE-2014-0107]
> Xalan 2.7.2 was released in April 2014 and should probably be included to
> prevent uninformed user to rely the whole Xerces-J distribution.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: j-dev-unsubscr...@xerces.apache.org
For additional commands, e-mail: j-dev-h...@xerces.apache.org
