| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| https://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| --> |
| <document> |
| |
| <properties> |
| <title>Security Reports</title> |
| <author email="dev@uima.apache.org"> |
| Apache UIMA Documentation Team</author> |
| </properties> |
| |
| <body> |
| |
| <section name="Security Update List by CVEs"> |
| |
| <p>Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.</p> |
| |
| <ul> |
| <li id="CVE-2018-8035"> |
| <pre>CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code. |
| |
| Severity: Important |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| - Apache UIMA DUCC releases including and prior to 2.2.2 |
| |
| Description. |
| The details of this vulnerability were reported to the Apache UIMA Private mailing list. |
| |
| This vulnerability relates to the user's browser processing of DUCC web page input data. |
| |
| The javascript comprising Apache UIMA DUCC which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code. |
| |
| Mitigation: |
| Users are advised to upgrade these UIMA components to the following levels: |
| - Apache UIMA DUCC: upgrade to 3.0.0 or later |
| |
| Credit: Marshall Schor |
| </pre> |
| </li> |
| </ul> |
| |
| |
| <ul> |
| <li id="CVE-2017-15691"> |
| <pre>CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure |
| |
| Severity: Important |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| - uimaj 2.x.x releases prior to 2.10.2 |
| - uimaj 3.0.0 releases prior to 3.0.0-beta |
| - uima-as releases prior to 2.10.2 |
| - uimaFIT releases prior to 2.4.0 |
| - uimaDUCC releases prior to 2.2.2 |
| |
| Description. |
| The details of this vulnerability were reported to the Apache UIMA Private |
| mailing list. |
| |
| This vulnerability relates to an XML external entity expansion (XXE) capability |
| of various XML parsers. See |
| https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing |
| for more details. |
| |
| UIMA as part of its configuration and operation may read XML from various |
| sources, which could be tainted in ways to cause inadvertent disclosure of local |
| files or other internal content. |
| |
| Mitigation: |
| Users are advised to upgrade these UIMA components to the following levels or later: |
| - uimaj: 2.x.x upgrade to 2.10.2 or later |
| - uimaj: 3.x.x upgrade to 3.0.0 or later |
| - uima-as: upgrade to 2.10.2 or later |
| - uimaFIT: upgrade to 2.4.0 or later |
| - uimaDUCC: upgrade to 2.2.2 or later |
| |
| Credit: Joern Kottmann |
| </pre> |
| </li> |
| </ul> |
| |
| </section> |
| |
| <section name="Reporting New Security Problems with Apache UIMA"> |
| <p>We strongly encourage people to report new security problems to the private |
| security mailing list of the ASF Security Team, before disclosing |
| them in a public forum.</p> |
| |
| <p>Please see the page of the <a target="_blank" rel="noopener" href="https://www.apache.org/security/"> |
| AFS Security Team</a> for further information and contact information.</p> |
| |
| <p><b>The Security Team cannot accept regular bug reports or other queries; please use |
| the regular <a target="_blank" rel="noopener" href="mail-lists.html">UIMA mailing lists</a> for those.</b></p> |
| </section> |
| |
| <section name="Security Standards"> |
| <p>Apache UIMA vulnerabilities are labeled with |
| <a target="_blank" rel="noopener" href="https://cve.mitre.org">CVE</a> (Common Vulnerabilities and Exposures) identifiers.</p> |
| |
| </section> |
| </body> |
| </document> |