Skip to main content

Hello,

One of our vulnerability scanner reported the following vulnerable sub-3PPs in Visibroker:

CVE-2021-33813 – This is a JDOM vulnerability

CVE-2020-10683 – DOM4J vulnerability

CVE-2019-0227 – Apache Axis vulnerability

VisiBroker uses these FOSSs, so we need to know if the vulnerabilities are valid in context of VisiBroker.

Thanks,

Gabor


#Vulnerability
#FOSS
#VisiBroker

Hello,

One of our vulnerability scanner reported the following vulnerable sub-3PPs in Visibroker:

CVE-2021-33813 – This is a JDOM vulnerability

CVE-2020-10683 – DOM4J vulnerability

CVE-2019-0227 – Apache Axis vulnerability

VisiBroker uses these FOSSs, so we need to know if the vulnerabilities are valid in context of VisiBroker.

Thanks,

Gabor


#Vulnerability
#FOSS
#VisiBroker

Hi Gabor,

CVE-2021-33813 -

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

      VisiBroker does not use SAX/JDOM to process HTTP traffic, not a vulnerability in VB 8.5.7

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
      VisiBroker does not use Dom4j anywhere in the product. Not a vulnerability in VB 8.5.7

CVE-2019-0227

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
     VisiBroker does not use Axis for any basic CORBA iiop communications (standard CORBA) in Java or C++.  However the Axis C++ implementation in VisiBroker comes with the infrastructure for a HTTP/SOAP listener (internally Apache Axis Technlogy), which is by default turned off.  So by default VisiBroker 8.5.7 is not vulnerable. 

Cheers,

-Scott

Hi Gabor,

CVE-2021-33813 -

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

      VisiBroker does not use SAX/JDOM to process HTTP traffic, not a vulnerability in VB 8.5.7

CVE-2020-10683

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
      VisiBroker does not use Dom4j anywhere in the product. Not a vulnerability in VB 8.5.7

CVE-2019-0227

A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
     VisiBroker does not use Axis for any basic CORBA iiop communications (standard CORBA) in Java or C++.  However the Axis C++ implementation in VisiBroker comes with the infrastructure for a HTTP/SOAP listener (internally Apache Axis Technlogy), which is by default turned off.  So by default VisiBroker 8.5.7 is not vulnerable. 

Cheers,

-Scott

Hi Gabor,

    If you need more information on any of these or other CVE's, please open a support case with Micro Focus support to discuss the issues in more detail. 

Cheers,

-Scott

Terms & ConditionsAccessibility statement