You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by Jonathan Gallimore <jo...@gmail.com> on 2019/09/08 19:26:59 UTC

Re: Quartz CVE-2019-13990

No-one's objected, so I'll push an update to quartz-openejb-shade, and if
its looking ok, I'll call a vote so its released and we can use the update
in TomEE.

Jon

On Fri, Aug 30, 2019 at 3:40 PM Jonathan Gallimore <
jonathan.gallimore@gmail.com> wrote:

> I forgot - here's the link to the actual issue in Quartz:
> https://github.com/quartz-scheduler/quartz/issues/467. The XML parser
> isn't well configured, which leaves it potentially vulnerable to XXE
> attacks from malicious XML input.
>
> Jon
>
> On Fri, Aug 30, 2019 at 3:38 PM Jonathan Gallimore <
> jonathan.gallimore@gmail.com> wrote:
>
>> Hi all,
>>
>> There's a potential XXE in the quartz package that we shade and use. The
>> quartz package itself doesn't appear to be maintained any more, so I have
>> forked and pushed binaries with a fix to staging repos at
>> oss.sonatype.org.
>>
>> I intend to update our quartz shade code here:
>> https://svn.apache.org/repos/asf/tomee/deps/trunk/quartz-openejb-shade/ to
>> use my patched version of quartz.
>>
>> It unlikely that TomEE as it is is affected by this as we're not driving
>> Quartz by passing XML to it, but I think it makes sense to use a patched
>> version to mitigate this in case users are calling this code directly in
>> their applications.
>>
>> Are there any objections?
>>
>> Thanks
>>
>> Jon
>>
>