Skip to content
This repository has been archived by the owner on Nov 9, 2022. It is now read-only.

Upgrade xstream java library #722

Closed
rlouapre opened this issue Jan 20, 2017 · 6 comments
Closed

Upgrade xstream java library #722

rlouapre opened this issue Jan 20, 2017 · 6 comments
Labels
customer-request enhancement
Milestone
v1.7.6

Comments

@rlouapre
Copy link
Contributor

xstream-1.4.2.jar was released in Nov 2011 and a customer has reported the following public venurabilities:

Summary

* CVE-2016-3674

Descriptions

* CVE-2016-3674

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Would it be possible to upgrade this library (./deploy/lib/java/xstream-1.4.2.jar)?

BTW - when does Roxy use java libraries in ./deploy/lib/java?
@dmcassel
Copy link
Collaborator

Roxy has features for MLCP, RecordLoader, and Corb. Upgrading would be fine, but should be tested. Actually, I wouldn't have a problem dropping RecordLoader support, which would eliminate the need for a couple of those JARs. In the meantime, if you're not using those features, deleting those JARs from your local repo would be fine.

@dmcassel dmcassel added this to the April 2017 milestone Jan 23, 2017
@dmcassel dmcassel mentioned this issue Jan 23, 2017
Closed
@heelix
Copy link

heelix commented Jan 25, 2017

We are using RecordLoader -- please leave it in for us still using it with roxy.

@dmcassel
Copy link
Collaborator

@heelix, thanks, good to know someone is using it.

@RobertSzkutak RobertSzkutak removed this from the April 2017 milestone May 5, 2017
@grtjn
Copy link
Contributor

grtjn commented Jun 1, 2017

Just ran a test with xstream-1.4.10.jar, which worked just fine for me. Note that we improved the code a while ago. It looks for xstream*.jar, so you can just trade out the jar with a newer version and try.

I'll also upgrade xcc to latest..

Small note though: xstream 1.4.10 seems to require Java 1.8. There is a separate xstream-1.4.10-java7.jar for download, but that will not run with Java 1.8, as it expects some Lambda classes that are not included in the java7 jar.

@grtjn
Copy link
Contributor

grtjn commented Jun 1, 2017

Also, xstream is used by XQSync only, not RecordLoader. Both use xpp3 though..

grtjn added a commit to grtjn/roxy that referenced this issue Jun 1, 2017
@grtjn
Fixed marklogic-community#722: upgraded xstream jar, and also xcc
7f40557
@grtjn grtjn mentioned this issue Jun 1, 2017
Merged
@grtjn grtjn added this to the May 2017 milestone Jun 1, 2017
@grtjn grtjn self-assigned this Jun 1, 2017
RobertSzkutak added a commit that referenced this issue Jun 7, 2017
@RobertSzkutak
Merge pull request #776 from grtjn/722-upgrade-xstream-jar
1326241 
Fixed #722: upgraded xstream jar, and also xcc
@grtjn
Copy link
Contributor

grtjn commented Jun 8, 2017

Fixed in dev

@grtjn grtjn closed this as completed Jun 8, 2017
@grtjn grtjn added enhancement and removed deployer labels Jun 9, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
customer-request enhancement
Projects
None yet
Milestone
v1.7.6
Development

No branches or pull requests
5 participants
@grtjn @RobertSzkutak @dmcassel @heelix @rlouapre