Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6959

Update XStream lib to prevent XML External Entity (XXE) Processing

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12
    • Fix Version/s: 14.12.01, 12.04.06, 13.07.03, 15.12.01
    • Component/s: framework
    • Labels:
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The XStream team has released the 1.4.9 stable version in March 15, 2016

      This version fixes the XML External Entity (XXE) Processing security issue

      Since OFBiz uses the DomDriver, with Java 6 at least in supported releases, OFBiz seems not really vulnerable, but better to be safe than sorry, notably for not OOTB uses...

      OWASP Dependency Check did not report this vulnerability. I will report to them.

        Attachments

          Activity

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: