security.html - juddi - Git at Google

 <!DOCTYPE html>
 <!--
  | Generated by Apache Maven Doxia Site Renderer 1.9.2 at 18 Sep 2022
  | Rendered using Apache Maven Fluido Skin 1.6
 -->
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
   <head>
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <meta name="Date-Revision-yyyymmdd" content="20220918" />
     <meta http-equiv="Content-Language" content="en" />
     <title>Apache jUDDI &#x2013; Security Advisories</title>
     <link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
     <link rel="stylesheet" href="./css/site.css" />
     <link rel="stylesheet" href="./css/print.css" media="print" />
       <script type="text/javascript" src="./js/apache-maven-fluido-1.6.min.js"></script>
       </head>
     <body class="topBarEnabled">
                       <a href="https://github.com/apache/juddi">
       <img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
         src="https://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png"
         alt="Fork me on GitHub">
     </a>
       <div id="topbar" class="navbar navbar-fixed-top ">
       <div class="navbar-inner">
         <div class="container-fluid">
         <a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
           <span class="icon-bar"></span>
           <span class="icon-bar"></span>
           <span class="icon-bar"></span>
         </a>
             <ul class="nav">
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache jUDDI <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="index.html" title="Welcome">Welcome</a></li>
             <li class="dropdown-submenu">
 <a href="demos.html" title="Live Demos">Live Demos</a>
               <ul class="dropdown-menu">
                   <li><a href="https://demo.apache.juddi.org/" title="Sandbox">Sandbox</a></li>
               </ul>
             </li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Downloads <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="releases.html" title="Releases">Releases</a></li>
             <li><a href="source-repository.html" title="Source Code">Source Code</a></li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Documentation <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="uddi.html" title="Supported UDDI Interfaces">Supported UDDI Interfaces</a></li>
             <li><a href="security.html" title="Security Advisories">Security Advisories</a></li>
             <li><a href="docs.html" title="jUDDI Docs">jUDDI Docs</a></li>
             <li><a href="http://wiki.apache.org/juddi" title="Wiki">Wiki</a></li>
             <li><a href="library.html" title="UDDI Library">UDDI Library</a></li>
             <li><a href="apidocs2/index.html" title="Javadocs v2">Javadocs v2</a></li>
             <li><a href="apidocs/index.html" title="Javadocs v3">Javadocs v3</a></li>
             <li><a href="xref/index.html" title="XRef v3">XRef v3</a></li>
             <li><a href="http://apachejuddi.blogspot.com/" title="jUDDI Blog">jUDDI Blog</a></li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Subprojects <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="scout/" title="Apache Scout">Apache Scout</a></li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Misc <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="participation.html" title="Participation">Participation</a></li>
             <li><a href="who.html" title="Who We Are">Who We Are</a></li>
             <li><a href="committers.html" title="Committer Notes">Committer Notes</a></li>
             <li><a href="thanks.html" title="Sponsors">Sponsors</a></li>
             <li><a href="legal.html" title="Legal">Legal</a></li>
             <li><a href="license.html" title="License">License</a></li>
         </ul>
       </li>
           <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Modules <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li><a href="uddi-ws/index.html" title="UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL">UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL</a></li>
             <li><a href="uddi-tck-base/index.html" title="UDDI Technical Compatibility Kit (TCK) Base">UDDI Technical Compatibility Kit (TCK) Base</a></li>
             <li><a href="juddi-client/index.html" title="jUDDI Client side Code">jUDDI Client side Code</a></li>
             <li><a href="juddi-client-cli/index.html" title="jUDDI CLI Client">jUDDI CLI Client</a></li>
             <li><a href="uddi-migration-tool/index.html" title="UDDI Migration tool">UDDI Migration tool</a></li>
             <li><a href="juddi-core/index.html" title="jUDDI Core Services">jUDDI Core Services</a></li>
             <li><a href="juddi-rest-cxf/index.html" title="jUDDI REST Services using Apache CXF">jUDDI REST Services using Apache CXF</a></li>
             <li><a href="juddi-core-openjpa/index.html" title="jUDDI Core - OpenJPA">jUDDI Core - OpenJPA</a></li>
             <li><a href="juddiv3-war/index.html" title="jUDDI Services WAR">jUDDI Services WAR</a></li>
             <li><a href="juddiv3-war-repl/index.html" title="jUDDI Replication Services WAR">jUDDI Replication Services WAR</a></li>
             <li><a href="juddi-examples/index.html" title="jUDDI Examples">jUDDI Examples</a></li>
             <li><a href="juddi-gui-war/index.html" title="jUDDI GUI WAR">jUDDI GUI WAR</a></li>
             <li><a href="juddi-tomcat/index.html" title="jUDDI Tomcat Packaging">jUDDI Tomcat Packaging</a></li>
         </ul>
       </li>
         <li class="dropdown">
         <a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a>
         <ul class="dropdown-menu">
             <li class="dropdown-submenu">
 <a href="project-info.html" title="Project Information">Project Information</a>
               <ul class="dropdown-menu">
                   <li><a href="integration.html" title="CI Management">CI Management</a></li>
                   <li><a href="dependencies.html" title="Dependencies">Dependencies</a></li>
                   <li><a href="dependency-convergence.html" title="Dependency Convergence">Dependency Convergence</a></li>
                   <li><a href="dependency-info.html" title="Dependency Information">Dependency Information</a></li>
                   <li><a href="dependency-management.html" title="Dependency Management">Dependency Management</a></li>
                   <li><a href="distribution-management.html" title="Distribution Management">Distribution Management</a></li>
                   <li><a href="index.html" title="About">About</a></li>
                   <li><a href="issue-tracking.html" title="Issue Management">Issue Management</a></li>
                   <li><a href="license.html" title="Licenses">Licenses</a></li>
                   <li><a href="mail-lists.html" title="Mailing Lists">Mailing Lists</a></li>
                   <li><a href="modules.html" title="Project Modules">Project Modules</a></li>
                   <li><a href="plugin-management.html" title="Plugin Management">Plugin Management</a></li>
                   <li><a href="plugins.html" title="Plugins">Plugins</a></li>
                   <li><a href="team-list.html" title="Team">Team</a></li>
                   <li><a href="source-repository.html" title="Source Code Management">Source Code Management</a></li>
                   <li><a href="project-summary.html" title="Summary">Summary</a></li>
               </ul>
             </li>
             <li class="dropdown-submenu">
 <a href="project-reports.html" title="Project Reports">Project Reports</a>
               <ul class="dropdown-menu">
                   <li><a href="apidocs/index.html" title="Javadoc">Javadoc</a></li>
                   <li><a href="testapidocs/index.html" title="Test Javadoc">Test Javadoc</a></li>
                   <li><a href="jdepend-report.html" title="JDepend">JDepend</a></li>
                   <li><a href="xref/index.html" title="Source Xref">Source Xref</a></li>
                   <li><a href="xref-test/index.html" title="Test Source Xref">Test Source Xref</a></li>
                   <li><a href="jira-report.html" title="JIRA Report">JIRA Report</a></li>
                   <li><a href="jacoco.html" title="Code Test Coverage">Code Test Coverage</a></li>
                   <li><a href="findbugs-aggregate.html" title="Findbugs Warnings">Findbugs Warnings</a></li>
               </ul>
             </li>
         </ul>
       </li>
               </ul>
             </div>
         </div>
       </div>
     </div>
     <div class="container-fluid">
       <div id="banner">
         <div class="pull-left"><a href="./" id="bannerLeft"><img src="images/logo.png"  alt="Apache jUDDI"/></a></div>
         <div class="pull-right"><div id="bannerRight"><img src="images/apache_feather.gif" /></div>
 </div>
         <div class="clear"><hr/></div>
       </div>

       <div id="breadcrumbs">
         <ul class="breadcrumb">
         <li class=""><a href="http://www.apache.org/" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
     <li class="active ">Security Advisories</li>
         <li id="publishDate" class="pull-right"><span class="divider">|</span> Last Published: 18 Sep 2022</li>
           <li id="projectVersion" class="pull-right">Version: 3.3.11-SNAPSHOT</li>
         </ul>
       </div>
       <div class="row-fluid">
         <div id="leftColumn" class="span2">
           <div class="well sidebar-nav">
 <ul class="nav nav-list">
           <li class="nav-header">Apache jUDDI</li>
     <li><a href="index.html" title="Welcome"><span class="none"></span>Welcome</a>  </li>
     <li><a href="demos.html" title="Live Demos"><span class="icon-chevron-down"></span>Live Demos</a>
       <ul class="nav nav-list">
     <li><a href="https://demo.apache.juddi.org/" class="externalLink" title="Sandbox"><span class="none"></span>Sandbox</a>  </li>
       </ul>
   </li>
           <li class="nav-header">Downloads</li>
     <li><a href="releases.html" title="Releases"><span class="none"></span>Releases</a>  </li>
     <li><a href="source-repository.html" title="Source Code"><span class="none"></span>Source Code</a>  </li>
           <li class="nav-header">Documentation</li>
     <li><a href="uddi.html" title="Supported UDDI Interfaces"><span class="none"></span>Supported UDDI Interfaces</a>  </li>
     <li class="active"><a href="#"><span class="none"></span>Security Advisories</a>
   </li>
     <li><a href="docs.html" title="jUDDI Docs"><span class="none"></span>jUDDI Docs</a>  </li>
     <li><a href="http://wiki.apache.org/juddi" class="externalLink" title="Wiki"><span class="none"></span>Wiki</a>  </li>
     <li><a href="library.html" title="UDDI Library"><span class="none"></span>UDDI Library</a>  </li>
     <li><a href="apidocs2/index.html" title="Javadocs v2"><span class="none"></span>Javadocs v2</a>  </li>
     <li><a href="apidocs/index.html" title="Javadocs v3"><span class="none"></span>Javadocs v3</a>  </li>
     <li><a href="xref/index.html" title="XRef v3"><span class="none"></span>XRef v3</a>  </li>
     <li><a href="http://apachejuddi.blogspot.com/" class="externalLink" title="jUDDI Blog"><span class="none"></span>jUDDI Blog</a>  </li>
           <li class="nav-header">Subprojects</li>
     <li><a href="scout/" title="Apache Scout"><span class="none"></span>Apache Scout</a>  </li>
           <li class="nav-header">Misc</li>
     <li><a href="participation.html" title="Participation"><span class="none"></span>Participation</a>  </li>
     <li><a href="who.html" title="Who We Are"><span class="none"></span>Who We Are</a>  </li>
     <li><a href="committers.html" title="Committer Notes"><span class="none"></span>Committer Notes</a>  </li>
     <li><a href="thanks.html" title="Sponsors"><span class="none"></span>Sponsors</a>  </li>
     <li><a href="legal.html" title="Legal"><span class="none"></span>Legal</a>  </li>
     <li><a href="license.html" title="License"><span class="none"></span>License</a>  </li>
             <li class="nav-header">Modules</li>
     <li><a href="uddi-ws/index.html" title="UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL"><span class="none"></span>UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL</a>  </li>
     <li><a href="uddi-tck-base/index.html" title="UDDI Technical Compatibility Kit (TCK) Base"><span class="none"></span>UDDI Technical Compatibility Kit (TCK) Base</a>  </li>
     <li><a href="juddi-client/index.html" title="jUDDI Client side Code"><span class="none"></span>jUDDI Client side Code</a>  </li>
     <li><a href="juddi-client-cli/index.html" title="jUDDI CLI Client"><span class="none"></span>jUDDI CLI Client</a>  </li>
     <li><a href="uddi-migration-tool/index.html" title="UDDI Migration tool"><span class="none"></span>UDDI Migration tool</a>  </li>
     <li><a href="juddi-core/index.html" title="jUDDI Core Services"><span class="none"></span>jUDDI Core Services</a>  </li>
     <li><a href="juddi-rest-cxf/index.html" title="jUDDI REST Services using Apache CXF"><span class="none"></span>jUDDI REST Services using Apache CXF</a>  </li>
     <li><a href="juddi-core-openjpa/index.html" title="jUDDI Core - OpenJPA"><span class="none"></span>jUDDI Core - OpenJPA</a>  </li>
     <li><a href="juddiv3-war/index.html" title="jUDDI Services WAR"><span class="none"></span>jUDDI Services WAR</a>  </li>
     <li><a href="juddiv3-war-repl/index.html" title="jUDDI Replication Services WAR"><span class="none"></span>jUDDI Replication Services WAR</a>  </li>
     <li><a href="juddi-examples/index.html" title="jUDDI Examples"><span class="none"></span>jUDDI Examples</a>  </li>
     <li><a href="juddi-gui-war/index.html" title="jUDDI GUI WAR"><span class="none"></span>jUDDI GUI WAR</a>  </li>
     <li><a href="juddi-tomcat/index.html" title="jUDDI Tomcat Packaging"><span class="none"></span>jUDDI Tomcat Packaging</a>  </li>
           <li class="nav-header">Project Documentation</li>
     <li><a href="project-info.html" title="Project Information"><span class="icon-chevron-right"></span>Project Information</a>  </li>
     <li><a href="project-reports.html" title="Project Reports"><span class="icon-chevron-right"></span>Project Reports</a>  </li>
   </ul>
 <form id="search-form" action="https://www.google.com/search" method="get" >
       <input value="$sitesearchValue" name="sitesearch" type="hidden"/>
   <input class="search-query" name="q" id="query" type="text" />
 </form>
 <script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script>
           <hr />
           <div id="poweredBy">
               <div class="clear"></div>
               <div class="clear"></div>
               <div class="clear"></div>
               <div class="clear"></div>
   <a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
               </div>
           </div>
         </div>
         <div id="bodyColumn"  class="span10" >
 <section>
 <h2><a name="Security_Advisories_for_Apache_jUDDI"></a>Security Advisories for Apache jUDDI</h2><section>
 <h3><a name="CVEID_CVE-2021-37578"></a>CVEID <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578">CVE-2021-37578</a></h3>
 <p>VERSION:  older than 3.3.10</p>
 <p>PROBLEMTYPE: Remote Code Execution</p>
 <p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578</a></p>
 <p>DESCRIPTION: Apache jUDDI uses several classes related to Java&#x2019;s Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services.</p>
 <p>RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.</p>
 <p>For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.</p>
 <p>Severity: Low</p>
 <p>Mitigation:</p>
 <p>jUDDI Clients, disable RMITransports (found in uddi.xml) and use alternate transports such as HTTPS. jUDDI Server (juddiv3.war/WEB-INF/classes/juddiv3.xml), disable JNDI and RMI settings in juddiv3.xml. The appropriate settings are located below in xpath style notation.</p>

 <div class="source">
 <div class="source"><pre class="prettyprint linenums">juddi/jndi/registration=false
 juddi/rmi/registration=false
 </pre></div></div>

 <p>If the settings are not present, then JNDI and RMI are already disabled. This is the default setting.</p>
 <p>Credit:</p>
 <p>Artem Smotrakov</p></section><section>
 <h3><a name="CVEID__CVE-2018-1307"></a>CVEID  <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1307">CVE-2018-1307</a></h3>
 <p>VERSION:  3.2 through 3.3.4</p>
 <p>PROBLEMTYPE: XML Entity Expansion</p>
 <p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267</a></p>
 <p>DISCRIPTION: If using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. This was fixed with <a class="externalLink" href="https://issues.apache.org/jira/browse/JUDDI-987">https://issues.apache.org/jira/browse/JUDDI-987</a></p>
 <p>Severity: Moderate</p>
 <p>Mitigation:</p>
 <p>Update your juddi-client dependencies to 3.3.5 or newer and/or discontinue use of the effected classes.</p></section><section>
 <h3><a name="CVEID_:_CVE-2009-4267"></a>CVEID : <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">CVE-2009-4267</a></h3>
 <p>VERSION:  3.0.0</p>
 <p>PROBLEMTYPE: Information Disclosure</p>
 <p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267</a></p>
 <p>DISCRIPTION: The jUDDI console doesn&#x2019;t escape line feeds that were passed in the numRows parameter. This affects log integrity, as this allows authenticated users to forge log records.</p>
 <p>Severity: Moderate</p>
 <p>Mitigation:</p>
 <p>3.0.0 users should upgrade to jUDDI 3.0.1 or newer</p>
 <p>Credit:</p>
 <p>This issue was discovered by &#xfeff;Marc Schoenefeld of Red Hat Software.</p></section><section>
 <h3><a name="CVEID:_CVE-2015-5241"></a>CVEID: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5241">CVE-2015-5241</a></h3>
 <p>VERSION: 3.1.2, 3.1.3, 3.1.4, and 3.1.5 that utilize the portlets based user interface also known as &#x2018;Pluto&#x2019;, &#x2018;jUDDI Portal&#x2019;, &#x2018;UDDI Portal&#x2019; or &#x2018;uddi-console&#x2019;</p>
 <p>PROBLEMTYPE: Open Redirect</p>
 <p>REFERENCES: <a class="externalLink" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5241">http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5241</a></p>
 <p>DESCRIPTION: After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious user to redirect the browser to an unintended web page. User session data, credentials, and auth tokens are cleared before the redirect.</p>
 <p>Mitigations:</p>
 <p>1) Remove or disable the portlet&#x2019;s based user interface. 2) Upgrade to newer versions of jUDDI (v3.2 and newer) which is not affected by this issue 3) If upgrading or disabling the portlet based user interface is not an option, the following can be used to resolve the issue. Modify the file located at &#x201c;uddi-portlets/logout.jsp&#x201d;, replacing the following text</p>

 <div class="source">
 <div class="source"><pre class="prettyprint linenums">   &quot;String redirectURL = (String) request.getParameter(&quot;urlredirect&quot;);
    if (redirectURL==null) redirectURL = &quot;/pluto/Logout&quot;;
 </pre></div></div>

 <p>with this text</p>

 <div class="source">
 <div class="source"><pre class="prettyprint linenums">    String redirectURL = &quot;/pluto/Logout&quot;;
 </pre></div></div>

 <p>No patches or releases are planned for the affected versions since jUDDI v3.2 replaced the user interface.</p></section></section>
         </div>
       </div>
     </div>
     <hr/>
     <footer>
       <div class="container-fluid">
         <div class="row-fluid">
             <p>Copyright &copy;2004&#x2013;2022
 <a href="https://www.apache.org/">The Apache Software Foundation</a>.
 All rights reserved.</p>
         </div>
         </div>
     </footer>
     </body>
 </html>
	<!DOCTYPE html>
	<!--
	\| Generated by Apache Maven Doxia Site Renderer 1.9.2 at 18 Sep 2022
	\| Rendered using Apache Maven Fluido Skin 1.6
	-->
	<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
	<head>
	<meta charset="UTF-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
	<meta name="Date-Revision-yyyymmdd" content="20220918" />
	<meta http-equiv="Content-Language" content="en" />
	<title>Apache jUDDI – Security Advisories</title>
	<link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
	<link rel="stylesheet" href="./css/site.css" />
	<link rel="stylesheet" href="./css/print.css" media="print" />
	<script type="text/javascript" src="./js/apache-maven-fluido-1.6.min.js"></script>
	</head>
	<body class="topBarEnabled">
	<a href="https://github.com/apache/juddi">
	<img style="position: absolute; top: 0; right: 0; border: 0; z-index: 10000;"
	src="https://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png"
	alt="Fork me on GitHub">
	</a>
	<div id="topbar" class="navbar navbar-fixed-top ">
	<div class="navbar-inner">
	<div class="container-fluid">
	<a data-target=".nav-collapse" data-toggle="collapse" class="btn btn-navbar">
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	<span class="icon-bar"></span>
	</a>
	<ul class="nav">
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Apache jUDDI <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="index.html" title="Welcome">Welcome</a></li>
	<li class="dropdown-submenu">
	<a href="demos.html" title="Live Demos">Live Demos</a>
	<ul class="dropdown-menu">
	<li><a href="https://demo.apache.juddi.org/" title="Sandbox">Sandbox</a></li>
	</ul>
	</li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Downloads <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="releases.html" title="Releases">Releases</a></li>
	<li><a href="source-repository.html" title="Source Code">Source Code</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Documentation <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="uddi.html" title="Supported UDDI Interfaces">Supported UDDI Interfaces</a></li>
	<li><a href="security.html" title="Security Advisories">Security Advisories</a></li>
	<li><a href="docs.html" title="jUDDI Docs">jUDDI Docs</a></li>
	<li><a href="http://wiki.apache.org/juddi" title="Wiki">Wiki</a></li>
	<li><a href="library.html" title="UDDI Library">UDDI Library</a></li>
	<li><a href="apidocs2/index.html" title="Javadocs v2">Javadocs v2</a></li>
	<li><a href="apidocs/index.html" title="Javadocs v3">Javadocs v3</a></li>
	<li><a href="xref/index.html" title="XRef v3">XRef v3</a></li>
	<li><a href="http://apachejuddi.blogspot.com/" title="jUDDI Blog">jUDDI Blog</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Subprojects <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="scout/" title="Apache Scout">Apache Scout</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Misc <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="participation.html" title="Participation">Participation</a></li>
	<li><a href="who.html" title="Who We Are">Who We Are</a></li>
	<li><a href="committers.html" title="Committer Notes">Committer Notes</a></li>
	<li><a href="thanks.html" title="Sponsors">Sponsors</a></li>
	<li><a href="legal.html" title="Legal">Legal</a></li>
	<li><a href="license.html" title="License">License</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Modules <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li><a href="uddi-ws/index.html" title="UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL">UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL</a></li>
	<li><a href="uddi-tck-base/index.html" title="UDDI Technical Compatibility Kit (TCK) Base">UDDI Technical Compatibility Kit (TCK) Base</a></li>
	<li><a href="juddi-client/index.html" title="jUDDI Client side Code">jUDDI Client side Code</a></li>
	<li><a href="juddi-client-cli/index.html" title="jUDDI CLI Client">jUDDI CLI Client</a></li>
	<li><a href="uddi-migration-tool/index.html" title="UDDI Migration tool">UDDI Migration tool</a></li>
	<li><a href="juddi-core/index.html" title="jUDDI Core Services">jUDDI Core Services</a></li>
	<li><a href="juddi-rest-cxf/index.html" title="jUDDI REST Services using Apache CXF">jUDDI REST Services using Apache CXF</a></li>
	<li><a href="juddi-core-openjpa/index.html" title="jUDDI Core - OpenJPA">jUDDI Core - OpenJPA</a></li>
	<li><a href="juddiv3-war/index.html" title="jUDDI Services WAR">jUDDI Services WAR</a></li>
	<li><a href="juddiv3-war-repl/index.html" title="jUDDI Replication Services WAR">jUDDI Replication Services WAR</a></li>
	<li><a href="juddi-examples/index.html" title="jUDDI Examples">jUDDI Examples</a></li>
	<li><a href="juddi-gui-war/index.html" title="jUDDI GUI WAR">jUDDI GUI WAR</a></li>
	<li><a href="juddi-tomcat/index.html" title="jUDDI Tomcat Packaging">jUDDI Tomcat Packaging</a></li>
	</ul>
	</li>
	<li class="dropdown">
	<a href="#" class="dropdown-toggle" data-toggle="dropdown">Project Documentation <b class="caret"></b></a>
	<ul class="dropdown-menu">
	<li class="dropdown-submenu">
	<a href="project-info.html" title="Project Information">Project Information</a>
	<ul class="dropdown-menu">
	<li><a href="integration.html" title="CI Management">CI Management</a></li>
	<li><a href="dependencies.html" title="Dependencies">Dependencies</a></li>
	<li><a href="dependency-convergence.html" title="Dependency Convergence">Dependency Convergence</a></li>
	<li><a href="dependency-info.html" title="Dependency Information">Dependency Information</a></li>
	<li><a href="dependency-management.html" title="Dependency Management">Dependency Management</a></li>
	<li><a href="distribution-management.html" title="Distribution Management">Distribution Management</a></li>
	<li><a href="index.html" title="About">About</a></li>
	<li><a href="issue-tracking.html" title="Issue Management">Issue Management</a></li>
	<li><a href="license.html" title="Licenses">Licenses</a></li>
	<li><a href="mail-lists.html" title="Mailing Lists">Mailing Lists</a></li>
	<li><a href="modules.html" title="Project Modules">Project Modules</a></li>
	<li><a href="plugin-management.html" title="Plugin Management">Plugin Management</a></li>
	<li><a href="plugins.html" title="Plugins">Plugins</a></li>
	<li><a href="team-list.html" title="Team">Team</a></li>
	<li><a href="source-repository.html" title="Source Code Management">Source Code Management</a></li>
	<li><a href="project-summary.html" title="Summary">Summary</a></li>
	</ul>
	</li>
	<li class="dropdown-submenu">
	<a href="project-reports.html" title="Project Reports">Project Reports</a>
	<ul class="dropdown-menu">
	<li><a href="apidocs/index.html" title="Javadoc">Javadoc</a></li>
	<li><a href="testapidocs/index.html" title="Test Javadoc">Test Javadoc</a></li>
	<li><a href="jdepend-report.html" title="JDepend">JDepend</a></li>
	<li><a href="xref/index.html" title="Source Xref">Source Xref</a></li>
	<li><a href="xref-test/index.html" title="Test Source Xref">Test Source Xref</a></li>
	<li><a href="jira-report.html" title="JIRA Report">JIRA Report</a></li>
	<li><a href="jacoco.html" title="Code Test Coverage">Code Test Coverage</a></li>
	<li><a href="findbugs-aggregate.html" title="Findbugs Warnings">Findbugs Warnings</a></li>
	</ul>
	</li>
	</ul>
	</li>
	</ul>
	</div>
	</div>
	</div>
	</div>
	<div class="container-fluid">
	<div id="banner">
	<div class="pull-left"><a href="./" id="bannerLeft"><img src="images/logo.png" alt="Apache jUDDI"/></a></div>
	<div class="pull-right"><div id="bannerRight"><img src="images/apache_feather.gif" /></div>
	</div>
	<div class="clear"><hr/></div>
	</div>

	<div id="breadcrumbs">
	<ul class="breadcrumb">
	<li class=""><a href="http://www.apache.org/" class="externalLink" title="Apache">Apache</a><span class="divider">/</span></li>
	<li class="active ">Security Advisories</li>
	<li id="publishDate" class="pull-right"><span class="divider">\|</span> Last Published: 18 Sep 2022</li>
	<li id="projectVersion" class="pull-right">Version: 3.3.11-SNAPSHOT</li>
	</ul>
	</div>
	<div class="row-fluid">
	<div id="leftColumn" class="span2">
	<div class="well sidebar-nav">
	<ul class="nav nav-list">
	<li class="nav-header">Apache jUDDI</li>
	<li><a href="index.html" title="Welcome"><span class="none"></span>Welcome</a> </li>
	<li><a href="demos.html" title="Live Demos"><span class="icon-chevron-down"></span>Live Demos</a>
	<ul class="nav nav-list">
	<li><a href="https://demo.apache.juddi.org/" class="externalLink" title="Sandbox"><span class="none"></span>Sandbox</a> </li>
	</ul>
	</li>
	<li class="nav-header">Downloads</li>
	<li><a href="releases.html" title="Releases"><span class="none"></span>Releases</a> </li>
	<li><a href="source-repository.html" title="Source Code"><span class="none"></span>Source Code</a> </li>
	<li class="nav-header">Documentation</li>
	<li><a href="uddi.html" title="Supported UDDI Interfaces"><span class="none"></span>Supported UDDI Interfaces</a> </li>
	<li class="active"><a href="#"><span class="none"></span>Security Advisories</a>
	</li>
	<li><a href="docs.html" title="jUDDI Docs"><span class="none"></span>jUDDI Docs</a> </li>
	<li><a href="http://wiki.apache.org/juddi" class="externalLink" title="Wiki"><span class="none"></span>Wiki</a> </li>
	<li><a href="library.html" title="UDDI Library"><span class="none"></span>UDDI Library</a> </li>
	<li><a href="apidocs2/index.html" title="Javadocs v2"><span class="none"></span>Javadocs v2</a> </li>
	<li><a href="apidocs/index.html" title="Javadocs v3"><span class="none"></span>Javadocs v3</a> </li>
	<li><a href="xref/index.html" title="XRef v3"><span class="none"></span>XRef v3</a> </li>
	<li><a href="http://apachejuddi.blogspot.com/" class="externalLink" title="jUDDI Blog"><span class="none"></span>jUDDI Blog</a> </li>
	<li class="nav-header">Subprojects</li>
	<li><a href="scout/" title="Apache Scout"><span class="none"></span>Apache Scout</a> </li>
	<li class="nav-header">Misc</li>
	<li><a href="participation.html" title="Participation"><span class="none"></span>Participation</a> </li>
	<li><a href="who.html" title="Who We Are"><span class="none"></span>Who We Are</a> </li>
	<li><a href="committers.html" title="Committer Notes"><span class="none"></span>Committer Notes</a> </li>
	<li><a href="thanks.html" title="Sponsors"><span class="none"></span>Sponsors</a> </li>
	<li><a href="legal.html" title="Legal"><span class="none"></span>Legal</a> </li>
	<li><a href="license.html" title="License"><span class="none"></span>License</a> </li>
	<li class="nav-header">Modules</li>
	<li><a href="uddi-ws/index.html" title="UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL"><span class="none"></span>UDDIv2 and v3 WS Stubs and Schema Bindings Generated from WSDL</a> </li>
	<li><a href="uddi-tck-base/index.html" title="UDDI Technical Compatibility Kit (TCK) Base"><span class="none"></span>UDDI Technical Compatibility Kit (TCK) Base</a> </li>
	<li><a href="juddi-client/index.html" title="jUDDI Client side Code"><span class="none"></span>jUDDI Client side Code</a> </li>
	<li><a href="juddi-client-cli/index.html" title="jUDDI CLI Client"><span class="none"></span>jUDDI CLI Client</a> </li>
	<li><a href="uddi-migration-tool/index.html" title="UDDI Migration tool"><span class="none"></span>UDDI Migration tool</a> </li>
	<li><a href="juddi-core/index.html" title="jUDDI Core Services"><span class="none"></span>jUDDI Core Services</a> </li>
	<li><a href="juddi-rest-cxf/index.html" title="jUDDI REST Services using Apache CXF"><span class="none"></span>jUDDI REST Services using Apache CXF</a> </li>
	<li><a href="juddi-core-openjpa/index.html" title="jUDDI Core - OpenJPA"><span class="none"></span>jUDDI Core - OpenJPA</a> </li>
	<li><a href="juddiv3-war/index.html" title="jUDDI Services WAR"><span class="none"></span>jUDDI Services WAR</a> </li>
	<li><a href="juddiv3-war-repl/index.html" title="jUDDI Replication Services WAR"><span class="none"></span>jUDDI Replication Services WAR</a> </li>
	<li><a href="juddi-examples/index.html" title="jUDDI Examples"><span class="none"></span>jUDDI Examples</a> </li>
	<li><a href="juddi-gui-war/index.html" title="jUDDI GUI WAR"><span class="none"></span>jUDDI GUI WAR</a> </li>
	<li><a href="juddi-tomcat/index.html" title="jUDDI Tomcat Packaging"><span class="none"></span>jUDDI Tomcat Packaging</a> </li>
	<li class="nav-header">Project Documentation</li>
	<li><a href="project-info.html" title="Project Information"><span class="icon-chevron-right"></span>Project Information</a> </li>
	<li><a href="project-reports.html" title="Project Reports"><span class="icon-chevron-right"></span>Project Reports</a> </li>
	</ul>
	<form id="search-form" action="https://www.google.com/search" method="get" >
	<input value="$sitesearchValue" name="sitesearch" type="hidden"/>
	<input class="search-query" name="q" id="query" type="text" />
	</form>
	<script type="text/javascript">asyncJs( 'https://cse.google.com/brand?form=search-form' )</script>
	<hr />
	<div id="poweredBy">
	<div class="clear"></div>
	<div class="clear"></div>
	<div class="clear"></div>
	<div class="clear"></div>
	<a href="http://maven.apache.org/" title="Built by Maven" class="poweredBy"><img class="builtBy" alt="Built by Maven" src="./images/logos/maven-feather.png" /></a>
	</div>
	</div>
	</div>
	<div id="bodyColumn" class="span10" >
	<section>
	<h2><a name="Security_Advisories_for_Apache_jUDDI"></a>Security Advisories for Apache jUDDI</h2><section>
	<h3><a name="CVEID_CVE-2021-37578"></a>CVEID <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578">CVE-2021-37578</a></h3>
	<p>VERSION: older than 3.3.10</p>
	<p>PROBLEMTYPE: Remote Code Execution</p>
	<p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37578</a></p>
	<p>DESCRIPTION: Apache jUDDI uses several classes related to Java’s Remote Method Invocation (RMI) which (as an extension to UDDI) provides an alternate transport for accessing UDDI services.</p>
	<p>RMI uses the default Java serialization mechanism to pass parameters in RMI invocations. A remote attacker can send a malicious serialized object to the above RMI entries. The objects get deserialized without any check on the incoming data. In the worst case, it may let the attacker run arbitrary code remotely.</p>
	<p>For both jUDDI web service applications and jUDDI clients, the usage of RMI is disabled by default. Since this is an optional feature and an extension to the UDDI protocol, the likelihood of impact is low. Starting with 3.3.10, all RMI related code was removed.</p>
	<p>Severity: Low</p>
	<p>Mitigation:</p>
	<p>jUDDI Clients, disable RMITransports (found in uddi.xml) and use alternate transports such as HTTPS. jUDDI Server (juddiv3.war/WEB-INF/classes/juddiv3.xml), disable JNDI and RMI settings in juddiv3.xml. The appropriate settings are located below in xpath style notation.</p>

	<div class="source">
	<div class="source"><pre class="prettyprint linenums">juddi/jndi/registration=false
	juddi/rmi/registration=false
	</pre></div></div>

	<p>If the settings are not present, then JNDI and RMI are already disabled. This is the default setting.</p>
	<p>Credit:</p>
	<p>Artem Smotrakov</p></section><section>
	<h3><a name="CVEID__CVE-2018-1307"></a>CVEID <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1307">CVE-2018-1307</a></h3>
	<p>VERSION: 3.2 through 3.3.4</p>
	<p>PROBLEMTYPE: XML Entity Expansion</p>
	<p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267</a></p>
	<p>DISCRIPTION: If using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. This was fixed with <a class="externalLink" href="https://issues.apache.org/jira/browse/JUDDI-987">https://issues.apache.org/jira/browse/JUDDI-987</a></p>
	<p>Severity: Moderate</p>
	<p>Mitigation:</p>
	<p>Update your juddi-client dependencies to 3.3.5 or newer and/or discontinue use of the effected classes.</p></section><section>
	<h3><a name="CVEID_:_CVE-2009-4267"></a>CVEID : <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">CVE-2009-4267</a></h3>
	<p>VERSION: 3.0.0</p>
	<p>PROBLEMTYPE: Information Disclosure</p>
	<p>REFERENCES: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4267</a></p>
	<p>DISCRIPTION: The jUDDI console doesn’t escape line feeds that were passed in the numRows parameter. This affects log integrity, as this allows authenticated users to forge log records.</p>
	<p>Severity: Moderate</p>
	<p>Mitigation:</p>
	<p>3.0.0 users should upgrade to jUDDI 3.0.1 or newer</p>
	<p>Credit:</p>
	<p>This issue was discovered by Marc Schoenefeld of Red Hat Software.</p></section><section>
	<h3><a name="CVEID:_CVE-2015-5241"></a>CVEID: <a class="externalLink" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5241">CVE-2015-5241</a></h3>
	<p>VERSION: 3.1.2, 3.1.3, 3.1.4, and 3.1.5 that utilize the portlets based user interface also known as ‘Pluto’, ‘jUDDI Portal’, ‘UDDI Portal’ or ‘uddi-console’</p>
	<p>PROBLEMTYPE: Open Redirect</p>
	<p>REFERENCES: <a class="externalLink" href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5241">http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-5241</a></p>
	<p>DESCRIPTION: After logging into the portal, the logout jsp page redirects the browser back to the login page after. It is feasible for malicious user to redirect the browser to an unintended web page. User session data, credentials, and auth tokens are cleared before the redirect.</p>
	<p>Mitigations:</p>
	<p>1) Remove or disable the portlet’s based user interface. 2) Upgrade to newer versions of jUDDI (v3.2 and newer) which is not affected by this issue 3) If upgrading or disabling the portlet based user interface is not an option, the following can be used to resolve the issue. Modify the file located at “uddi-portlets/logout.jsp”, replacing the following text</p>

	<div class="source">
	<div class="source"><pre class="prettyprint linenums"> "String redirectURL = (String) request.getParameter("urlredirect");
	if (redirectURL==null) redirectURL = "/pluto/Logout";
	</pre></div></div>

	<p>with this text</p>

	<div class="source">
	<div class="source"><pre class="prettyprint linenums"> String redirectURL = "/pluto/Logout";
	</pre></div></div>

	<p>No patches or releases are planned for the affected versions since jUDDI v3.2 replaced the user interface.</p></section></section>
	</div>
	</div>
	</div>
	<hr/>
	<footer>
	<div class="container-fluid">
	<div class="row-fluid">
	<p>Copyright ©2004–2022
	<a href="https://www.apache.org/">The Apache Software Foundation</a>.
	All rights reserved.</p>
	</div>
	</div>
	</footer>
	</body>
	</html>