You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2021/04/07 09:04:00 UTC

[jira] [Commented] (TOMEE-2997) Update OpenSAML to V3.4.6 or later

    [ https://issues.apache.org/jira/browse/TOMEE-2997?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17316146#comment-17316146 ] 

Richard Zowalla commented on TOMEE-2997:
----------------------------------------

It seems, we have upgraded to wss4j (2.3.1) which brings opensaml in version 3.4.5 with it.

I guess, we would need to (a) check the changelogs of 3.4.6 and (b) override this transient dependency of wss4j to get v3.4.6. 

Afaik, we are at v3.4.5 on master atm.

> Update OpenSAML to V3.4.6 or later
> ----------------------------------
>
>                 Key: TOMEE-2997
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2997
>             Project: TomEE
>          Issue Type: Dependency upgrade
>          Components: TomEE Core Server
>    Affects Versions: 8.0.6
>            Reporter: Nikhil
>            Priority: Major
>
> TomEE latest available version 8.0.6 has the opensaml component version 3.3.1 which is vulnerable to security issues mentioned below -
>  
> h1. Vulnerability Details
> h2. CVE-2020-27978
> *Vulnerability Published:* 2020-10-28 11:15 EDT
> *Vulnerability Updated:* 2020-10-28 12:26 EDT
> *CVSS Score:* (under review, not scored yet - updates will be reported in issue comments)
> *Summary*: Shibboleth Identify Provider 3.x before 3.4.6 has a denial of service flaw. A remote unauthenticated attacker can cause a login flow to trigger Java heap exhaustion due to the creation of objects in the Java Servlet container session.
> h2. BDSA-2019-4785
> *Affected Component(s):* OpenSAML 2.0
> *Vulnerability Published:* 2020-10-29 11:37 EDT
> *Vulnerability Updated:* 2020-10-29 11:37 EDT
> *CVSS Score:* 6.5 (overall), {color:#FF0000}7.5{color} (base)
> *Summary*: Shibboleth Identity Provider is vulnerable to denial-of-service (DoS) due to improper processing of authentication webflows. An attacker could exploit this vulnerability by supplying a system with maliciously crafted requests.
> ------------
>  
> The issue is fixed in version 3.4.6 or later



--
This message was sent by Atlassian Jira
(v8.3.4#803005)