| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "https://www.w3.org/TR/html4/loose.dtd"> |
| |
| |
| <!-- ====================================================================== --> |
| <!-- GENERATED FILE, DO NOT EDIT, EDIT THE XML FILE IN xdocs INSTEAD! --> |
| <!-- ====================================================================== --> |
| <html> |
| <head> |
| <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> |
| <style type="text/css">@import "stylesheets/base.css";</style> |
| <meta name="author" value=" |
| Apache UIMA Documentation Team"> |
| <meta name="email" value="dev@uima.apache.org"> |
| |
| |
| |
| <title>Apache UIMA - Security Reports</title> |
| |
| <!-- Begin Cookie Consent plugin by Silktide - https://silktide.com/cookieconsent --> |
| <!-- Commented out because implied consent is not compatible with GDPR --> |
| <!-- |
| <script type="text/javascript"> |
| window.cookieconsent_options = {"message":"This website uses cookies to ensure you get the best experience on our website","dismiss":"Got it!","learnMore":"More info","link":"https://uima.apache.org/privacy-policy.html","theme":"dark-bottom"}; |
| </script> |
| |
| <script type="text/javascript" src="/cookieconsent2/cookieconsent.min.js"></script> |
| --> |
| <!-- End Cookie Consent plugin --> |
| |
| <!-- Begin Google Analytics --> |
| <!-- Commented out because GA requires consent according to GDPR --> |
| <!-- |
| <script> |
| (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ |
| (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), |
| m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) |
| })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); |
| |
| ga('create', 'UA-70846351-1', 'auto'); |
| ga('set', 'anonymizeIp', true); |
| ga('send', 'pageview'); |
| |
| </script> |
| --> |
| <!-- End Google Analytics --> |
| </head> |
| |
| <body> |
| <div class="topLogos"> |
| <table border="0" width="100%" cellspacing="0"> |
| <!-- TOP IMAGE --> |
| <tr> |
| <td align='LEFT'> |
| <a href="index.html"> |
| <img style="border: 1px solid black;" src="./images/UIMA_banner2tlpTm.png" alt="UIMA project logo" border="0"/> |
| </a> |
| </td> |
| <td align='CENTER'> |
| <div class="pageBanner">Security Reports</div> |
| </td> |
| <td align='RIGHT'> |
| <a href="https://www.apache.org"> |
| <img src="./images/asf-logo-on-white-smallTm.png" alt="Apache UIMA" border="0"/> |
| </a> |
| </td> |
| </tr> |
| </table> |
| <hr noshade="" size="1"/> |
| </div> |
| <table border="0" width="100%" cellspacing="4"> |
| <tr> |
| <td align='RIGHT' colspan="2"> |
| <form method="get" action="https://www.google.com/search"> |
| Search the site |
| <input type="text" name="q" size="25" maxlength="255" value="" /> |
| <input type="hidden" name="sitesearch" value="https://uima.apache.org/" /> |
| <input name="Search" value="Search Site" type="submit"/> |
| </form> |
| </td> |
| </tr> |
| <tr> <!-- LEFT SIDE NAVIGATION --> |
| <td width="20%" valign="top"> |
| |
| |
| |
| |
| |
| |
| <!-- regular menu --> |
| <div class="navBar"> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">General</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="./index.html">Home</a> |
| </div> |
| <div class="navBarItem"> <a href="./downloads.cgi">Downloads</a> |
| </div> |
| <div class="navBarItem"> <a href="./documentation.html">Documentation</a> |
| </div> |
| <div class="navBarItem"> <a href="./news.html">News</a> |
| </div> |
| <div class="navBarItem"> <a href="./publications.html">Publications</a> |
| </div> |
| <br style="line-height: .5em"/> |
| <div class="navBarItem"> <a href="https://issues.apache.org/jira/browse/uima" target="_blank" rel="noopener">Issue tracker <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="https://cwiki.apache.org/confluence/display/UIMA/" target="_blank" rel="noopener">Wiki <img src="images/offsitelink.png"/></a> |
| </div> |
| <br style="line-height: .5em"/> |
| <div class="navBarItem"> <a href="https://cwiki.apache.org/confluence/display/UIMA/Powered+by+Apache+UIMA" target="_blank" rel="noopener">Powered By UIMA <img src="images/offsitelink.png"/></a> |
| </div> |
| </div> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">Community</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="./get-involved.html">Get Involved</a> |
| </div> |
| <div class="navBarItem"> <a href="./mail-lists.html">Mailing Lists</a> |
| </div> |
| <div class="navBarItem"> <a href="./contribution-policy.html">Contribution Policies</a> |
| </div> |
| <div class="navBarItem"> <a href="./faq.html">FAQ</a> |
| </div> |
| <div class="navBarItem"> <a href="./project-guidelines.html">Project Guidelines</a> |
| </div> |
| </div> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">Components & Tools</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="./sandbox.html#uima-addons-annotators">Annotators</a> |
| </div> |
| <div class="navBarItem"> <a href="./toolsServers.html">Tools & Servers</a> |
| </div> |
| <div class="navBarItem"> <a href="./sandbox.html">Addons and Sandbox</a> |
| </div> |
| <div class="navBarItem"> <a href="./ruta.html">UIMA Ruta</a> |
| </div> |
| <div class="navBarItem"> <a href="https://github.com/apache/uima-uimafit" target="_blank" rel="noopener">uimaFIT <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="./external-resources.html">External Resources</a> |
| </div> |
| </div> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">Development</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="./dev-quick.html">Quick Start: building</a> |
| </div> |
| <div class="navBarItem"> <a href="./building-uima.html">Building from Source</a> |
| </div> |
| <div class="navBarItem"> <a href="./one-time-setup.html">One-time setups</a> |
| </div> |
| <div class="navBarItem"> <a href="./svn.html">Source Code</a> |
| </div> |
| <div class="navBarItem"> <a href="./release.html">Doing a UIMA release</a> |
| </div> |
| <div class="navBarItem"> <a href="https://www.apache.org/security/committers.html" target="_blank" rel="noopener">Doing a CVE (Apache) <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="./eclipse-update-site.html">Eclipse Update Sites</a> |
| </div> |
| <div class="navBarItem"> <a href="./git.html">GIT</a> |
| </div> |
| <div class="navBarItem"> <a href="./codeConventions.html">Code Conventions</a> |
| </div> |
| <div class="navBarItem"> <a href="./uima-specification.html">UIMA Specification (OASIS)</a> |
| </div> |
| <div class="navBarItem"> <a href="./team-list.html">Project Team</a> |
| </div> |
| <div class="navBarItem"> <a href="./maven-design.html">Maven Use</a> |
| </div> |
| <div class="navBarItem"> <a href="./updating-website.html">Updating this Website</a> |
| </div> |
| </div> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">Events and Conferences</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="./coling14.html">COLING 2014</a> |
| </div> |
| <div class="navBarItem"> <a href="./gscl13.html">GSCL 2013</a> |
| </div> |
| <div class="navBarItem"> <a href="./iks09.html">IKS 2009</a> |
| </div> |
| <div class="navBarItem"> <a href="./gscl09.html">GSCL 2009</a> |
| </div> |
| <div class="navBarItem"> <a href="./lsm09.html">LSM 2009</a> |
| </div> |
| <div class="navBarItem"> <a href="./lrec08.html">LREC 2008</a> |
| </div> |
| <div class="navBarItem"> <a href="./gldv07.html">GLDV 2007</a> |
| </div> |
| </div> |
| <br/> |
| <div class="navBarItem"> <div class="navPartHeading">ASF</div> |
| </div> |
| <div class="navBar"> |
| <div class="navBarItem"> <a href="https://www.apache.org/licenses/" target="_blank" rel="noopener">License <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener">ASF Sponsors <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener">ASF Sponsorship <img src="images/offsitelink.png"/></a> |
| </div> |
| <div class="navBarItem"> <a href="./security_report">Security</a> |
| </div> |
| </div> |
| </div> |
| </td> |
| <td width="80%" align="left" valign="top"> |
| <div class="sectionTable"> |
| <table class="sectionTable"> |
| <tr><td> |
| <a name="Security Update List by CVEs"><h1><img src="images/UIMA_4sq50tightCropSolid.png"/> Security Update List by CVEs</h1></a> |
| </td></tr> |
| <tr><td> |
| <blockquote class="sectionBody"> |
| <p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.</p> |
| <ul> |
| <li id="CVE-2018-8035"> |
| <pre>CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code. |
| |
| Severity: Important |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| - Apache UIMA DUCC releases including and prior to 2.2.2 |
| |
| Description. |
| The details of this vulnerability were reported to the Apache UIMA Private mailing list. |
| |
| This vulnerability relates to the user's browser processing of DUCC web page input data. |
| |
| The javascript comprising Apache UIMA DUCC which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code. |
| |
| Mitigation: |
| Users are advised to upgrade these UIMA components to the following levels: |
| - Apache UIMA DUCC: upgrade to 3.0.0 or later |
| |
| Credit: Marshall Schor |
| </pre> |
| </li> |
| </ul> |
| <ul> |
| <li id="CVE-2017-15691"> |
| <pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure |
| |
| Severity: Important |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| - uimaj 2.x.x releases prior to 2.10.2 |
| - uimaj 3.0.0 releases prior to 3.0.0-beta |
| - uima-as releases prior to 2.10.2 |
| - uimaFIT releases prior to 2.4.0 |
| - uimaDUCC releases prior to 2.2.2 |
| |
| Description. |
| The details of this vulnerability were reported to the Apache UIMA Private |
| mailing list. |
| |
| This vulnerability relates to an XML external entity expansion (XXE) capability |
| of various XML parsers. See |
| https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing |
| for more details. |
| |
| UIMA as part of its configuration and operation may read XML from various |
| sources, which could be tainted in ways to cause inadvertent disclosure of local |
| files or other internal content. |
| |
| Mitigation: |
| Users are advised to upgrade these UIMA components to the following levels or later: |
| - uimaj: 2.x.x upgrade to 2.10.2 or later |
| - uimaj: 3.x.x upgrade to 3.0.0 or later |
| - uima-as: upgrade to 2.10.2 or later |
| - uimaFIT: upgrade to 2.4.0 or later |
| - uimaDUCC: upgrade to 2.2.2 or later |
| |
| Credit: Joern Kottmann |
| </pre> |
| </li> |
| </ul> |
| </blockquote> |
| </p> |
| </td></tr> |
| </table> |
| <div class="sectionTable"> |
| <table class="sectionTable"> |
| <tr><td> |
| <a name="Reporting New Security Problems with Apache UIMA"><h1><img src="images/UIMA_4sq50tightCropSolid.png"/> Reporting New Security Problems with Apache UIMA</h1></a> |
| </td></tr> |
| <tr><td> |
| <blockquote class="sectionBody"> |
| <p>We strongly encourage people to report new security problems to the private |
| security mailing list of the ASF Security Team, before disclosing |
| them in a public forum.</p> |
| <p>Please see the page of the <a target="_blank" rel="noopener" href="https://www.apache.org/security/"> |
| AFS Security Team</a> for further information and contact information.</p> |
| <p><b>The Security Team cannot accept regular bug reports or other queries; please use |
| the regular <a target="_blank" rel="noopener" href="mail-lists.html">UIMA mailing lists</a> for those.</b></p> |
| </blockquote> |
| </p> |
| </td></tr> |
| </table> |
| <div class="sectionTable"> |
| <table class="sectionTable"> |
| <tr><td> |
| <a name="Security Standards"><h1><img src="images/UIMA_4sq50tightCropSolid.png"/> Security Standards</h1></a> |
| </td></tr> |
| <tr><td> |
| <blockquote class="sectionBody"> |
| <p>Apache UIMA vulnerabilities are labeled with |
| <a target="_blank" rel="noopener" href="https://cve.mitre.org">CVE</a> (Common Vulnerabilities and Exposures) identifiers.</p> |
| </blockquote> |
| </p> |
| </td></tr> |
| </table> |
| </td> |
| </tr> |
| <!-- FOOTER --> |
| <tr><td colspan="2"> |
| <hr noshade="" size="1"/> |
| </td></tr> |
| <tr><td colspan="2"> |
| <table class="pageFooter"> |
| <tr> |
| <td><a href="index.html">Home</a></td> |
| <td><a href="privacy-policy.html">Privacy Policy</a></td> |
| <td style="font-size:75%"> |
| Copyright © 2006-2024, The Apache Software Foundation.<br/> |
| Apache UIMA, UIMA, the Apache UIMA logo and the Apache Feather logo are trademarks of The Apache Software Foundation.<br/> |
| All other marks mentioned may be trademarks or registered trademarks of their respective owners. |
| </td> |
| <td><a href="mailto:dev@uima.apache.org">Contact us</a></td> |
| </tr> |
| </table> |
| </td></tr> |
| </table> |
| </body> |
| </html> |
| |