1. siani Avatar siani
  2. fmi
  3. javaFMI
  4. Issues

Suggest to replace simple-xml-2.7.1.jar, as it's old and has Security Issues

Issue #106 resolved
Rolandas created an issue

We using your fmu-wrapper and it’s great, but know we are faced with and issue.

We saw that fmu-wrapper has dependencies to simple-xml-2.7.1.jar, that is very old and has vulnerability:

“SimpleXML (latest version 2.7.1) is vulnerable to an XXE vulnerability resulting SSRF, information disclosure, DoS and so on.“

Here is a link to an official site for Vulnerabilities:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Asimplexml_project&cpe_product=cpe%3A%2F%3Asimplexml_project%3Asimplexml&cpe_version=cpe%3A%2F%3Asimplexml_project%3Asimplexml%3A2.7.1

Would it be possible to use different xml parser instead of simpleXML with security issue? Maybe you have considered alternatives?

Maybe there can be option/build to use different parser to avoid security concerns.

Comments (7)

  2. Jose Evora

    Dear Rolandas,

    Thank you very much for contacting us. Currently there is no other version of simple xml so far we have checked. Changing parsing system of the library would take long time so we need to internally discuss the priority of this issue.

    Once more, thank you very much for make us aware of this vulnerability. Best regards,

  3. Jose Evora

    Dear Rolandas,

    We have advanced in this issue. We saw in the link you sent that this was discussed in the developer’s github in this link. If you check this link, you will see that there is a fork in which this vulnerability has been eliminated. We are currently investigating this fork of the library to see if it works properly with our project. For the moment, it seems to be correctly integrated so we could be releasing a new version soon right after the tests.

    Please, review all links and let us know how you feel about this change. We believe is the best solution in terms of safety and efforts.

  4. Rolandas reporter

    Dear Jose Evora,

    Looking at the github fork and seems ok. Would be great to get a build with that forked simpleXML working.

  5. Jose Evora

    Dear Rolandas,

    Please find attached the snapshot version with the XML changed. We have made our tests and we are satisfied. Please note this jar requires this dependency:
    <dependency>
    <groupId>com.carrotsearch.thirdparty</groupId>
    <artifactId>simple-xml-safe</artifactId>
    <version>2.7.1</version>
    </dependency>

    We are looking forward for your review to go ahead for the release for everyone in the download section.

    Best regards,

  8. Log in to comment
Assignee
Type
proposal
Priority
major
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!