Well … you might not, but a malicious attacker might. I think the last few releases of BlazeDS, that I did in the past were reacting to CVEs reported in the XML processing part of BlazeDS. Here, for example, a malicious attacker could embed xml using xml-entities that referenced protected resources on the server and the BlazeDS server just resolved them exposing this protected information.
However, I think I remember I turned off the xml processing of external resources per default. I probably this problem would not apply in very many cases. However, this seems to be a pretty new vulnerability, as I wasn’t getting it when I started the branch. So, I would advise to look, if a newer version is available and simply switch to that. If you need help with that … give me a ping. Should be a matter of 5 minutes. Chris From: Tom Chiverton <t...@extravision.com> Date: Tuesday, 16 August 2022 at 12:20 To: dev@flex.apache.org <dev@flex.apache.org>, Brian Raymes <brian.ray...@teotech.com> Subject: Re: [EXTERNAL] BlazeDS release The issue there is when processing malicious XSLT. We don't pass untrusted XSLT to it ? Tom On 15/08/2022 22:36, Brian Raymes wrote: > Seems like those dependencies need to be replaced due to vulnerabilities, as > the Apache Xalan project has been retired: > > https://github.com/advisories/GHSA-9339-86wc-4qgf > > > > -----Original Message----- > From: Piotr Zarzycki <piotrzarzyck...@gmail.com> > Sent: Sunday, August 14, 2022 3:26 AM > To: dev@flex.apache.org > Subject: [EXTERNAL] BlazeDS release > > Hi All, > > In this thread I will be reporting updates related to release of BlazeDS. I > looked into Chris's branch and I would like to exclude Proxy module from > upcoming release. Please let me know in this thread whether you have anything > against it. > > Meanwhile I have following error on the console during build - Anyone know > what that means ? > > One or more dependencies were identified with known vulnerabilities in > flex-messaging-common: > > > serializer-2.7.2.jar (pkg:maven/xalan/serializer@2.7.2, > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > xalan-2.7.2.jar (pkg:maven/xalan/xalan@2.7.2, > cpe:2.3:a:apache:xalan-java:2.7.2:*:*:*:*:*:*:*) : CVE-2022-34169 > > > > See the dependency-check report for more details. > > > > [*INFO*] > *------------------------------------------------------------------------* > > [*INFO*] *Reactor Summary for Apache Flex - BlazeDS 4.8.0-SNAPSHOT:* > > [*INFO*] > > [*INFO*] Apache Flex - BlazeDS .............................. > *SUCCESS* [ 5.914 > s] > > [*INFO*] flex-messaging-archetypes .......................... > *SUCCESS* [ 1.409 > s] > > [*INFO*] blazeds-spring-boot-example-archetype .............. > *SUCCESS* [ 4.430 > s] > > [*INFO*] flex-messaging-common .............................. > *FAILURE* [ 2.155 > s] > > [*INFO*] flex-messaging-core ................................ *SKIPPED* > > [*INFO*] flex-messaging-proxy ............................... *SKIPPED* > > [*INFO*] flex-messaging-remoting ............................ *SKIPPED* > > [*INFO*] flex-messaging-opt ................................. *SKIPPED* > > [*INFO*] flex-messaging-opt-tomcat .......................... *SKIPPED* > > [*INFO*] flex-messaging-opt-tomcat-base ..................... *SKIPPED* > > [*INFO*] > *------------------------------------------------------------------------* > > [*INFO*] *BUILD FAILURE* > > [*INFO*] > *------------------------------------------------------------------------* > > [*INFO*] Total time: 14.115 s > > [*INFO*] Finished at: 2022-08-14T12:24:30+02:00 > > [*INFO*] > *------------------------------------------------------------------------* > > [*ERROR*] Failed to execute goal > org.owasp:dependency-check-maven:7.1.0:check *(default)* on project > flex-messaging-common: > > [*ERROR*] > > [*ERROR*] *One or more dependencies were identified with vulnerabilities that > have a CVSS score greater than or equal to '4.0': * > > [*ERROR*] > > [*ERROR*] *serializer-2.7.2.jar: CVE-2022-34169(9.8)* > > [*ERROR*] *xalan-2.7.2.jar: CVE-2022-34169(9.8)* > > [*ERROR*] > > [*ERROR*] *See the dependency-check report for more details.* > > Thanks, ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________
