Skip to content
This repository has been archived by the owner on Nov 29, 2022. It is now read-only.

Update esapi version for CVE-2022-23457 #525

Open
OrangeDog opened this issue May 10, 2022 · 3 comments
Open

Update esapi version for CVE-2022-23457 #525

OrangeDog opened this issue May 10, 2022 · 3 comments

Comments

@OrangeDog
Copy link
Contributor

2.3.0.0 has the fix, but also a breaking change.
To get it to work, you need to bypass opensaml's attempt to configure it.
Here is one method:

  1. Set the system property org.owasp.esapi.SecurityConfiguration to org.owasp.esapi.reference.DefaultSecurityConfiguration.
  2. Create the file ESAPI.properties (in one of various possible locations, including working directory and classpath). The minimal required content is below.
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Logger.ApplicationName=
Logger.LogEncodingRequired=false
Logger.LogApplicationName=false
Logger.LogServerIP=false
Logger.UserInfo=false
Logger.ClientInfo=false

Or set any other implementation of org.owasp.esapi.SecurityConfiguration to provide the necessary properties.
@benatwork99
Copy link

Thanks!

When you make this change, I think you can also remove the xalan dependency from this project; it seems to have been added to upversion esapi's transitive dependency on xalan, esapi 2.3 no longer has a xalan dependency, so after this esapi update this project brings xalan in unnecessarily - which may trigger a different CVE warning in scans.

@natrajms
Copy link

CVE-2022-23457 is having 9.8 CRITICAL severity. These changes should be considered.

@OrangeDog
Copy link
Contributor Author

@natrajms this project is unmaintained, so they're not going to do it.
I've left instructions here for how to do it yourself.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@OrangeDog @benatwork99 @natrajms