[TOMEE-4263] Update Apache Santuario Java (xmlsec) to mitigate CVE-2023-44483 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Dependency upgrade
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 8.0.14, 8.0.15
Fix Version/s: 8.0.16
Component/s: None
Labels:
None

Description

CVE-2023-44483

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.

Note: In order to exploit this vulnerability, logging with debug level should be enabled.

Solution: Fixed in versions:

2.2.6 by this commit.
2.3.4 by this commit.
3.0.3 by this commit.
4.0.0 by this commit.

TomEE releases

TomEE 8.0.14 ships xmlsec-2.2.3.jar
TomEE 8.0.15 ships xmlsec-2.3.2.jar

Please review and do the needful

Attachments

Issue Links

is cloned by

TOMEE-4264 Update Apache Santuario Java (xmlsec) to mitigate CVE-2023-44483

Closed

links to

GitHub Pull Request #1072

Activity

People

Assignee:: Jonathan S. Fisher

Reporter:: Nikhil

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 26/Oct/23 05:18

Updated:: 26/Oct/23 16:27

Resolved:: 26/Oct/23 16:27

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m