Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2023-40743 - Critical Axis library vulnerability #1424

Open
howthatdo opened this issue Sep 19, 2023 · 5 comments
Open

CVE-2023-40743 - Critical Axis library vulnerability #1424

howthatdo opened this issue Sep 19, 2023 · 5 comments

Comments

@howthatdo
Copy link

The Axis 1.x library has a reported critical vulnerability in it. The 1.4.1 version of Axis is included in Birt 4.9.0 and 4.13.0. This library is EOL and the recommended fix is to switch to a different SOAP library (like Axis 2.x).
@merks
Copy link
Contributor

merks commented Sep 19, 2023

Do you have any plans to help solve this problem?

@howthatdo
Copy link
Author

I'm sorry, I don't.

@merks
Copy link
Contributor

merks commented Nov 1, 2023

As I understand it, the 1.4.1 version in BIRT is one that fixes the CVE in 1.4.0. While it would still be good to switch to Axis, 2.x the linked CVE does not apply.

merks added a commit to merks/birt that referenced this issue Nov 1, 2023
@merks
Export packages with versions from the org.apache.axis bundle
733bcd5 
This allows WTP's package requirements on org.apache.axis packages to
resolve to the packages exported by BIRT's 1.4.1 version of that bundle.

eclipse-birt#1424
@merks merks mentioned this issue Nov 1, 2023
Merged
merks added a commit that referenced this issue Nov 1, 2023
@merks
Export packages with versions from the org.apache.axis bundle
93ddfab 
This allows WTP's package requirements on org.apache.axis packages to
resolve to the packages exported by BIRT's 1.4.1 version of that bundle.

#1424
@howthatdo
Copy link
Author

As I understand it, the 1.4.1 version in BIRT is one that fixes the CVE in 1.4.0. While it would still be good to switch to Axis, 2.x the linked CVE does not apply.

My reading of the CVE itself is that all 1.x versions of Axis are affected. Where are you seeing that 1.4.1 fixes this issue?

@claesrosell
Copy link
Contributor

It looks like this CVE is fixed with this commit
apache/axis-axis1-java@7e66753
Apache Axis 1 is in some regard maintained,
But since there are no new versions of it there are no other way of receiving the fixes but building Axis1 from source one self.
That will fix the CVE but the security scanner will still complain.

@merks merks mentioned this issue Nov 6, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@merks @howthatdo @claesrosell