You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2022/02/15 07:01:00 UTC

[jira] [Commented] (TOMEE-3838) TomEE Plume - CVE-2021-40110

    [ https://issues.apache.org/jira/browse/TOMEE-3838?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17492393#comment-17492393 ] 

Richard Zowalla commented on TOMEE-3838:
----------------------------------------

Hi [~AJIGOPAL]

We do not use the Apache James Mail server in the code base. Reading the CVE it sounds like Apache James (Server) is vulnerable to the CVE mentioned above as well as to

- https://nvd.nist.gov/vuln/detail/CVE-2021-38542
- https://nvd.nist.gov/vuln/detail/CVE-2021-40111
- https://nvd.nist.gov/vuln/detail/CVE-2021-40525

However, Geronimo Java Mail (1.0.1) uses apache-mime4j-core-0.8.6.jar as shaded dependency. Therefore, I think, that this might be a false positive. Can you re-check? Please see the different utility libraries released under Apache James: https://james.apache.org/download.cgi

Gruß
Richard


> TomEE Plume - CVE-2021-40110
> ----------------------------
>
>                 Key: TOMEE-3838
>                 URL: https://issues.apache.org/jira/browse/TOMEE-3838
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 8.0.9
>            Reporter: AJIT GOPALAN
>            Priority: Blocker
>
> TomEE Plume 8.0.9 suffers from CVE-2021-40110
> This is a bug in Apache James, that manifests itself through the Geronimo Mail jar dependency in TomEE ({_}layer.tar: apache-tomee-8.0.9-plume.tar.gz: apache-tomee-8.0.9-plume.tar: geronimo-javamail_1.6_mail-1.0.1.jar (shaded: org.apache.james:apache-mime4j-core:0.8.1){_})
> CVE Summary - 
> _"In Apache James, using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1 We recommend upgrading to Apache James 3.6.1 or higher , which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking."_
> [https://nvd.nist.gov/vuln/detail/CVE-2021-40110#vulnCurrentDescriptionTitle]



--
This message was sent by Atlassian Jira
(v8.20.1#820001)