birt icon indicating copy to clipboard operation
birt copied to clipboard
verified publisher icon eclipse

CVE-2023-40743 - Critical Axis library vulnerability

Open howthatdo opened this issue 2 years ago • 5 comments

The Axis 1.x library has a reported critical vulnerability in it. The 1.4.1 version of Axis is included in Birt 4.9.0 and 4.13.0. This library is EOL and the recommended fix is to switch to a different SOAP library (like Axis 2.x).

howthatdo avatar Sep 19 '23 16:09 howthatdo

Do you have any plans to help solve this problem?

merks avatar Sep 19 '23 16:09 merks

I'm sorry, I don't.

howthatdo avatar Sep 19 '23 17:09 howthatdo

As I understand it, the 1.4.1 version in BIRT is one that fixes the CVE in 1.4.0. While it would still be good to switch to Axis, 2.x the linked CVE does not apply.

merks avatar Nov 01 '23 14:11 merks

As I understand it, the 1.4.1 version in BIRT is one that fixes the CVE in 1.4.0. While it would still be good to switch to Axis, 2.x the linked CVE does not apply.

My reading of the CVE itself is that all 1.x versions of Axis are affected. Where are you seeing that 1.4.1 fixes this issue?

howthatdo avatar Nov 02 '23 00:11 howthatdo

It looks like this CVE is fixed with this commit https://github.com/apache/axis-axis1-java/commit/7e66753427466590d6def0125e448d2791723210 Apache Axis 1 is in some regard maintained, But since there are no new versions of it there are no other way of receiving the fixes but building Axis1 from source one self. That will fix the CVE but the security scanner will still complain.

claesrosell avatar Nov 02 '23 05:11 claesrosell

This issue is addressed by the use of 1.4.1:

https://github.com/eclipse-orbit/orbit-simrel/issues/16

merks avatar Jul 20 '24 12:07 merks