[jira] [Commented] (OFBIZ-7136) Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability

Fri, 27 May 2016 06:36:35 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-7136?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15304059#comment-15304059
 ] 

Jacques Le Roux commented on OFBIZ-7136:
----------------------------------------

Done in 
trunk at r1745751
R15.12 r1745752

I did not try to update to version 2.0.1. 
I only tested by using 
https://localhost:8443/example/control/ExampleReportPdfOptions?exampleId=EX01 
but I got nothing. So I tried with R15.12 before backporting and got the same 
issue. So I guess it's unrelated with this update. Moreover with both branches 
I get an error in log for the barcode PDF: I opened OFBIZ-7137

I don't close yet, I'll look at other releases later, it's no obvious if 
upgrading from 1.7.1 to 1.8.12 can be done w/o side effects.

> Ugrade PDFBox to 1.8.12 (or 2.0.1?) due to vulnerability
> --------------------------------------------------------
>
>                 Key: OFBIZ-7136
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-7136
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>
> CVE-2016-2175: Apache PDFBox XML External Entity vulnerability
> Severity: Important
> Versions Affected:
> Apache PDFBox 1.8.0 to 1.8.11
> Apache PDFBox 2.0.0
> Earlier, unsupported Apache PDFBox versions may be affected as well
> Description:
> Apache PDFBox parses different XML data within PDF files such as XMP and the 
> initialization of the XML parsers did not protect against XML External Entity 
> (XXE) vulnerabilities. According to www.owasp.org [1]: "This attack may lead 
> to the disclosure of confidential data, denial of service, server side 
> request forgery, port scanning from the perspective of the machine where the 
> parser is located, and other system impacts."
> Mitigation:
> Upgrade to Apache PDFBox 1.8.12 respectively 2.0.1
> Credit:
> This issue was discovered by Arthur Khashaev (https://khashaev.ru), Seulgi 
> Kim, Mesut Timur and Microsoft Vulnerability Research.
> [1] https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to