blob: 332c3a399473a318bd15343b761eacd846d8ac78 [file]
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<document>
<properties>
<title>Security Reports</title>
<author email="dev@uima.apache.org">
Apache UIMA Documentation Team</author>
</properties>
<body>
<section name="Security Update List by CVEs">
<p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.</p>
<ul>
<li id="CVE-2018-8035">
<pre>CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code.
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
- Apache UIMA DUCC releases including and prior to 2.2.2
Description.
The details of this vulnerability were reported to the Apache UIMA Private mailing list.
This vulnerability relates to the user's browser processing of DUCC web page input data.
The javascript comprising Apache UIMA DUCC which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.
Mitigation:
Users are advised to upgrade these UIMA components to the following levels:
- Apache UIMA DUCC: upgrade to 3.0.0 or later
Credit: Marshall Schor
</pre>
</li>
</ul>
<ul>
<li id="CVE-2017-15691">
<pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
- uimaj 2.x.x releases prior to 2.10.2
- uimaj 3.0.0 releases prior to 3.0.0-beta
- uima-as releases prior to 2.10.2
- uimaFIT releases prior to 2.4.0
- uimaDUCC releases prior to 2.2.2
Description.
The details of this vulnerability were reported to the Apache UIMA Private
mailing list.
This vulnerability relates to an XML external entity expansion (XXE) capability
of various XML parsers. See
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
for more details.
UIMA as part of its configuration and operation may read XML from various
sources, which could be tainted in ways to cause inadvertent disclosure of local
files or other internal content.
Mitigation:
Users are advised to upgrade these UIMA components to the following levels or later:
- uimaj: 2.x.x upgrade to 2.10.2 or later
- uimaj: 3.x.x upgrade to 3.0.0 or later
- uima-as: upgrade to 2.10.2 or later
- uimaFIT: upgrade to 2.4.0 or later
- uimaDUCC: upgrade to 2.2.2 or later
Credit: Joern Kottmann
</pre>
</li>
</ul>
</section>
<section name="Reporting New Security Problems with Apache UIMA">
<p>We strongly encourage people to report new security problems to the private
security mailing list of the ASF Security Team, before disclosing
them in a public forum.</p>
<p>Please see the page of the <a target="_blank" rel="noopener" href="https://www.apache.org/security/">
AFS Security Team</a> for further information and contact information.</p>
<p><b>The Security Team cannot accept regular bug reports or other queries; please use
the regular <a target="_blank" rel="noopener" href="mail-lists.html">UIMA mailing lists</a> for those.</b></p>
</section>
<section name="Security Standards">
<p>Apache UIMA vulnerabilities are labeled with
<a target="_blank" rel="noopener" href="https://cve.mitre.org">CVE</a> (Common Vulnerabilities and Exposures) identifiers.</p>
</section>
</body>
</document>