Bug: https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348 #316
Comments
|
According to jeremylong/DependencyCheck#4614 (comment), the CVE-2017-10355 is a vulnerability that OSSINDEX returns on the API call as applicable for the xercesImpl library. However, looks like xercesImpl is not subject to CVE-2017-10355. Thank you. |
|
Appears to be corruption with an invalid cve value in the OSSINDEX vulnerability-data: {
"coordinates": "pkg:maven/xerces/[email protected]",
"description": "Xerces2 is the next generation of high performance, fully compliant XML parsers in the\n Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),\n a complete framework for building parser components and configurations that is extremely\n modular and easy to program.",
"reference": "https://ossindex.sonatype.org/component/pkg:maven/xerces/[email protected]?utm_source\u003ddependency-check\u0026utm_medium\u003dintegration\u0026utm_content\u003d7.1.1",
"vulnerabilities": [
{
"id": "sonatype-2017-0348",
"displayName": "sonatype-2017-0348",
"title": "[sonatype-2017-0348] CWE-833: Deadlock",
"description": "sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)\n\nThe software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.",
"cvssScore": 5.9,
"cvssVector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe": "CWE-833",
"cve": "CVE-2017-10355",
"reference": "https://ossindex.sonatype.org/vulnerability/sonatype-2017-0348?component-type\u003dmaven\u0026component-name\u003dxerces%2FxercesImpl\u0026utm_source\u003ddependency-check\u0026utm_medium\u003dintegration\u0026utm_content\u003d7.1.1",
"externalReferences": [
"https://blogs.securiteam.com/index.php/archives/3271"
]
}
]
}Is the cached vulnerability result |
|
The CVE-2017-10355 is not for xercesImpl but for Java. The xerceslmpl's vulnerability is actually sonatype-2017-0348 and/or SNYK-JAVA-XERCES-31497. The Snyk entry indicates that xercesImpl 2.11.0 is patched for the vulnerability. The OSSINDEX entry indicates that xercesImpl 2.12.2 is still subject to the vulnerability, but the reference blog has been removed. Can anybody in the OSSINDEX verify the status of sonatype-2017-0348? Is that still a valid issue or not? |
|
Sorry for the delay. We are still working on developing processes to handle issues, and I have been away for a while (catching up now)! This issue has been passed to the research team on our internal tracking system, and I will report back here once more is known. |
|
Hi @ken-duck , thank you for your update. Albert |
|
Hi @ken-duck , is there any update about this one? Thank you. Regards, |
|
I am emailing you more detailed information pending the coding updates we have underway that will make the detailed data available to all OSS Index users. |
|
For sonatype-2017-0348: Apache Xerces-J is vulnerable to a Denial of Service (DoS) attack. The NOTE: This vulnerability was assigned CVE-2017-10355. … Incidentally, this vulnerability can be mitigated by upgrading your Java JDK to 6u171 or above (for 6.x), 7u161 or above (for 7.x), 8u151 or above (for 8.x), or 9.0.1 or above (for 9.x). |
|
I got enough information about this issue. So I will close it. |
Vulnerability URL
Component URL
Description
OWASP Dependency-Check reports a published vulnerability CVE-2017-10355 (OSSINDEX). The references include OSSINDEX - [sonatype-2017-0348] CWE-833: Deadlock and OSSIndex - https://blogs.securiteam.com/index.php/archives/3271.
However, the descriptions of CVE-2017-10355 and CWE-833 are very different. And the blog is gone.
Shall I report the incorrect vulnerability ID here or to OWASP Dependency-Check?
The related discussion in jeremylong / DependencyCheck.
Thank you.
Regards,
Albert
The text was updated successfully, but these errors were encountered: