'Security vulnerability in 2.12.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xerces-j-dev
Subject:    Security vulnerability in 2.12.0
From:       Andrew Poon <andrewskpoon () gmail ! com>
Date:       2020-10-14 4:16:00
Message-ID: CAOmg7+86VtomqF-_vpr90+GZ2jeWfarv8nbdTHub4NjKH=4aHw () mail ! gmail ! com
[Download RAW message or body]

Hi all,

I noticed a recent discovered vulnerability in Xerces

https://nvd.nist.gov/vuln/detail/CVE-2020-14338
CVE-2020-14338 Detail
Current Description

A flaw was found in Wildfly's implementation of Xerces, specifically in the
way the XMLSchemaValidator class in the JAXP component of Wildfly enforced
the "use-grammar-pool-only" feature. This flaw allows a specially-crafted
XML file to manipulate the validation process in certain cases. This issue
is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a
similar code. All xerces jboss versions before 2.12.0.SP3.

Is there any plan to create a bugfix release to remediate this?


Thanks

Andrew

[Attachment #3 (text/html)]

<div dir="ltr">
<div>Hi all,</div><div><br></div><div>I noticed a recent discovered vulnerability in \
Xerces</div><div><br></div><div><a \
href="https://nvd.nist.gov/vuln/detail/CVE-2020-14338" \
target="_blank">https://nvd.nist.gov/vuln/detail/CVE-2020-14338</a></div><div> \
<h2><span>CVE-2020-14338</span>  Detail
						</h2>
						<div>

							<div>
								
 
								
									<h3 id="gmail-m_3820772214472177129gmail-vulnDescriptionTitle">Current \
Description </h3>  <p>A flaw was found in Wildfly&#39;s 
implementation of Xerces, specifically in the way the XMLSchemaValidator
 class in the JAXP component of Wildfly enforced the 
&quot;use-grammar-pool-only&quot; feature. This flaw allows a specially-crafted 
XML file to manipulate the validation process in certain cases. This 
issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and 
uses a similar code. All xerces jboss versions before 2.12.0.SP3.</p><p>Is there any \
plan to create a bugfix release to remediate this?</p><p><br></p><p>Thanks</p><font \
color="#888888"><p>Andrew<br></p></font></div></div></div>

</div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic