Loading...

XML

Word

Printable

Type: Bug
Resolution: Won't Do
Priority: Major
Fix Version/s: fuse-7.11.1-GA
Affects Version/s: fuse-7.11-GA
Component/s: Camel
Labels:
None

Blocked:
False
Blocked Reason:
None
Ready:
False
Fuse Progress Bar:

% %
GSS Priority:
Regression Test:
Todo
Target Release:

fuse-7.11.1-GA
Git Pull Request:
https://github.com/jboss-fuse/camel/pull/2076

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

OWASP recommendations for CVE-2017-7465 recommend the following

TransformerFactory tf = TransformerFactory.newInstance();
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_DTD, "");
tf.setAttribute(XMLConstants.ACCESS_EXTERNAL_STYLESHEET, "");

If using camel-saxon in a spring-boot application, attempting to set those values results in:

Caused by: java.lang.IllegalArgumentException: Unknown configuration property http://javax.xml.XMLConstants/property/accessExternalDTD

What you can do, is set the following

sf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);

But it's not clear that this actually addresses the CVE, and it causes security scanners to still flag it as a vulnerability. This appears to be an issue in EAP as well. This may have been addressed in Saxon 10.3 if I'm reading this bug correctly; Fuse 7.11 is using version 9.8.

$ mvn dependency:tree | grep saxon
[INFO] +- org.apache.camel:camel-saxon:jar:2.23.2.fuse-7_11_0-00037-redhat-00001:compile
[INFO] |  +- net.sf.saxon:Saxon-HE:jar:9.8.0-14:compile

links to

CAMEL-15616 – camel-saxon - Upgrade to Saxon 11.x (Camel 3)

Assignee:: Grzegorz Grzybek

Reporter:: Stephen Higgs

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2022/09/20 8:43 PM

Updated:: 2023/01/04 9:33 AM

Resolved:: 2022/10/21 1:51 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates