Re: [jxpath] reported CVE and path forward

Mon, 10 Oct 2022 08:39:46 -0700 

Hmm.
There are various red flags here that suggest to me that this issue is likely not valid. 


1. The source is oss-fuzz. I have been dealing with oss-fuzz issues for 
Apache Tomcat and so far out of the 30+ issues raised (the majority 
marked as security relevant) not one of the issues was a vulnerability.



2. The CNA is Google. Google is not authorised to issue CVEs for ASF 
projects accept in strictly limited circumstances that do not apply here.


3. There is no record of CVE-2022-41852 on *ANY* ASF security list.

The next steps are:

- Identify the current JXPath maintainers (or some volunteers to clean
  up this mess)

- Gain access to the details of the reports

- Assess the reports

- Invalidate / update the CVEs as required


I don't see meaningful commits to the repo after 2015 so I suspect we'll 
be looking for volunteers.


Mark



On 10/10/2022 16:19, Mike Drob wrote:

Howdy folks,

I recently saw that there was a reported CVE[1] for Apache JXPath that became 
public due to no response to the reporter over 90 days. I am uncertain if the 
reporter had tried reaching out to the appropriate security lists before-hand 
and was ignored, or failed to follow our established procedures. Regardless, 
the issue is now public.

I have not personally verified the vulnerability, nor assessed the impact. NIST 
thinks it is a Big Deal, though, scoring it 9.8/10 [2]

It is hard to assess impact since the project does not publish artifacts to 
maven central, but I'm also taking that as an indicator of low adoption at this 
point in time. Further, the project has not had a release since 2015. There has 
been very limited mailing list activity, and the last 5 years of commits have 
only been typo/comment fixes.

If there is no community around it, is there a path to retirement? What are the 
next steps?

Thanks,
Mike

[1]: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47133
[2]: https://nvd.nist.gov/vuln/detail/CVE-2022-41852

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org























					Reply via email to