You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@uima.apache.org by sc...@apache.org on 2018/04/26 15:23:00 UTC
svn commit: r1830235 - in /uima/site/trunk/uima-website:
docs/security_report.html xdocs/security_report.xml
Author: schor
Date: Thu Apr 26 15:23:00 2018
New Revision: 1830235
URL: http://svn.apache.org/viewvc?rev=1830235&view=rev
Log:
no Jira add Security report for CVE-2017-15691
Modified:
uima/site/trunk/uima-website/docs/security_report.html
uima/site/trunk/uima-website/xdocs/security_report.xml
Modified: uima/site/trunk/uima-website/docs/security_report.html
URL: http://svn.apache.org/viewvc/uima/site/trunk/uima-website/docs/security_report.html?rev=1830235&r1=1830234&r2=1830235&view=diff
==============================================================================
--- uima/site/trunk/uima-website/docs/security_report.html (original)
+++ uima/site/trunk/uima-website/docs/security_report.html Thu Apr 26 15:23:00 2018
@@ -225,7 +225,45 @@
<blockquote class="sectionBody">
<p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.</p>
<ul>
- <li>none yet</li>
+ <li id="CVE-2017-15691">
+<pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ - uimaj 2.x.x releases prior to 2.10.2
+ - uimaj 3.0.0 releases prior to 3.0.0-beta
+ - uima-as releases prior to 2.10.2
+ - uimaFIT releases prior to 2.4.0
+ - uimaDUCC releases prior to 2.2.2
+
+Description.
+The details of this vulnerability were reported to the Apache UIMA Private
+mailing list.
+
+This vulnerability relates to an XML external entity expansion (XXE) capability
+of various XML parsers. See
+ https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+for more details.
+
+UIMA as part of its configuration and operation may read XML from various
+sources, which could be tainted in ways to cause inadvertent disclosure of local
+files or other internal content.
+
+Mitigation:
+Users are advised to upgrade these UIMA components to the following levels or later:
+ - uimaj: 2.x.x upgrade to 2.10.2 or later
+ - uimaj: 3.x.x upgrade to 3.0.0 or later
+ - uima-as: upgrade to 2.10.2 or later
+ - uimaFIT: upgrade to 2.4.0 or later
+ - uimaDUCC: upgrade to 2.2.2 or later
+
+Credit: Joern Kottmann
+</pre>
+</li>
</ul>
</blockquote>
</p>
Modified: uima/site/trunk/uima-website/xdocs/security_report.xml
URL: http://svn.apache.org/viewvc/uima/site/trunk/uima-website/xdocs/security_report.xml?rev=1830235&r1=1830234&r2=1830235&view=diff
==============================================================================
--- uima/site/trunk/uima-website/xdocs/security_report.xml (original)
+++ uima/site/trunk/uima-website/xdocs/security_report.xml Thu Apr 26 15:23:00 2018
@@ -31,7 +31,45 @@ under the License.
<p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.</p>
<ul>
- <li>none yet</li>
+ <li id="CVE-2017-15691">
+<pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure
+
+Severity: Important
+
+Vendor:
+The Apache Software Foundation
+
+Versions Affected:
+ - uimaj 2.x.x releases prior to 2.10.2
+ - uimaj 3.0.0 releases prior to 3.0.0-beta
+ - uima-as releases prior to 2.10.2
+ - uimaFIT releases prior to 2.4.0
+ - uimaDUCC releases prior to 2.2.2
+
+Description.
+The details of this vulnerability were reported to the Apache UIMA Private
+mailing list.
+
+This vulnerability relates to an XML external entity expansion (XXE) capability
+of various XML parsers. See
+ https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
+for more details.
+
+UIMA as part of its configuration and operation may read XML from various
+sources, which could be tainted in ways to cause inadvertent disclosure of local
+files or other internal content.
+
+Mitigation:
+Users are advised to upgrade these UIMA components to the following levels or later:
+ - uimaj: 2.x.x upgrade to 2.10.2 or later
+ - uimaj: 3.x.x upgrade to 3.0.0 or later
+ - uima-as: upgrade to 2.10.2 or later
+ - uimaFIT: upgrade to 2.4.0 or later
+ - uimaDUCC: upgrade to 2.2.2 or later
+
+Credit: Joern Kottmann
+</pre>
+</li>
</ul>
</section>