Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6959

Update XStream lib to prevent XML External Entity (XXE) Processing

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Release Branch 15.12, Trunk
    • 14.12.01, 12.04.06, 13.07.03, 15.12.01
    • framework
    • Bug Crush Event - 21/2/2015

    Description

      The XStream team has released the 1.4.9 stable version in March 15, 2016

      This version fixes the XML External Entity (XXE) Processing security issue

      Since OFBiz uses the DomDriver, with Java 6 at least in supported releases, OFBiz seems not really vulnerable, but better to be safe than sorry, notably for not OOTB uses...

      OWASP Dependency Check did not report this vulnerability. I will report to them.

      Attachments

        Activity

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: