You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@poi.apache.org by Swagatika Pati <sw...@yahoo.co.in.INVALID> on 2020/04/07 14:17:11 UTC
Need guidance to resolve vulnerabilities for apache
poi-ooxml-4.1.2.jar
Hi Team
I am using apache poi-ooxml-4.1.2.jar for our developmentpurpose for a Java based application.
But while doing black duck scanning we got the below vulnerabilitiesfor Apache-XML Xml Security componentused in poi-ooxml-4.1.2.jar.
The below classes used the Apache-XML Xml Security component in their import statements
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/SignatureConfig.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/facets/KeyInfoSignatureFacet.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLSignatureFacet.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/services/RelationshipTransformService.class
And below are the list of vulnerabilities IDS.
CVE-2014-8152, CVE-2013-4517, CVE-2013-2210, CVE-2013-2172, CVE-2013-2156, CVE-2013-2155, CVE-2013-2154, CVE-2013-2153, CVE-2011-2516
Can you please guide us how to resolve this vulnerabilities .
Thanks,Swagatika
Re: Need guidance to resolve vulnerabilities for apache
poi-ooxml-4.1.2.jar
Posted by "fanningpj@apache.org" <fa...@apache.org>.
Hi Swagatika,
This issue is already addressed in the latest development code and will be included in the next POI release.
https://poi.apache.org/changes.html -- see the refernce to upgrading to xmlsec 2.1.5
Regards,
PJ
On Tuesday 7 April 2020, 16:24:33 GMT+2, Swagatika Pati <sw...@yahoo.co.in.invalid> wrote:
Hi Team
I am using apache poi-ooxml-4.1.2.jar for our developmentpurpose for a Java based application.
But while doing black duck scanning we got the below vulnerabilitiesfor Apache-XML Xml Security componentused in poi-ooxml-4.1.2.jar.
The below classes used the Apache-XML Xml Security component in their import statements
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/SignatureConfig.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/facets/KeyInfoSignatureFacet.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/facets/XAdESXLSignatureFacet.class
poi-ooxml-4.1.2.jar/org/apache/poi/poifs/crypt/dsig/services/RelationshipTransformService.class
And below are the list of vulnerabilities IDS.
CVE-2014-8152, CVE-2013-4517, CVE-2013-2210, CVE-2013-2172, CVE-2013-2156, CVE-2013-2155, CVE-2013-2154, CVE-2013-2153, CVE-2011-2516
Can you please guide us how to resolve this vulnerabilities .
Thanks,Swagatika
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@poi.apache.org
For additional commands, e-mail: dev-help@poi.apache.org