You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by Jonathan Gallimore <jo...@gmail.com> on 2019/08/30 14:38:00 UTC

Quartz CVE-2019-13990

Hi all,

There's a potential XXE in the quartz package that we shade and use. The
quartz package itself doesn't appear to be maintained any more, so I have
forked and pushed binaries with a fix to staging repos at oss.sonatype.org.

I intend to update our quartz shade code here:
https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to
use my patched version of quartz.

It unlikely that TomEE as it is is affected by this as we're not driving
Quartz by passing XML to it, but I think it makes sense to use a patched
version to mitigate this in case users are calling this code directly in
their applications.

Are there any objections?

Thanks

Jon

Re: Quartz CVE-2019-13990

Posted by Jonathan Gallimore <jo...@gmail.com>.

No-one's objected, so I'll push an update to quartz-openejb-shade, and if
its looking ok, I'll call a vote so its released and we can use the update
in TomEE.

Jon

On Fri, Aug 30, 2019 at 3:40 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> I forgot - here's the link to the actual issue in Quartz:
> https://github.com/quartz-scheduler/quartz/issues/467. The XML parser
> isn't well configured, which leaves it potentially vulnerable to XXE
> attacks from malicious XML input.
>
> Jon
>
> On Fri, Aug 30, 2019 at 3:38 PM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
>> Hi all,
>>
>> There's a potential XXE in the quartz package that we shade and use. The
>> quartz package itself doesn't appear to be maintained any more, so I have
>> forked and pushed binaries with a fix to staging repos at
>> oss.sonatype.org.
>>
>> I intend to update our quartz shade code here:
>> https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to
>> use my patched version of quartz.
>>
>> It unlikely that TomEE as it is is affected by this as we're not driving
>> Quartz by passing XML to it, but I think it makes sense to use a patched
>> version to mitigate this in case users are calling this code directly in
>> their applications.
>>
>> Are there any objections?
>>
>> Thanks
>>
>> Jon
>>
>

Re: Quartz CVE-2019-13990

Posted by Jonathan Gallimore <jo...@gmail.com>.

I forgot - here's the link to the actual issue in Quartz:
https://github.com/quartz-scheduler/quartz/issues/467. The XML parser isn't
well configured, which leaves it potentially vulnerable to XXE attacks from
malicious XML input.

Jon

On Fri, Aug 30, 2019 at 3:38 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> Hi all,
>
> There's a potential XXE in the quartz package that we shade and use. The
> quartz package itself doesn't appear to be maintained any more, so I have
> forked and pushed binaries with a fix to staging repos at oss.sonatype.org
> .
>
> I intend to update our quartz shade code here:
> https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to
> use my patched version of quartz.
>
> It unlikely that TomEE as it is is affected by this as we're not driving
> Quartz by passing XML to it, but I think it makes sense to use a patched
> version to mitigate this in case users are calling this code directly in
> their applications.
>
> Are there any objections?
>
> Thanks
>
> Jon
>