Verified Answers


If an answer to your question is correct, click on "Verify Answer" under the "More" button. The answer will now appear with a checkmark. Please be sure to always mark answers that resolve your issue as verified. Your fellow Community members will appreciate it!  Learn more

  • State Not Answered
  • Replies replies
    2
  • Subscribers subscribers
    3
  • Views views
    675
  • Users 0 members are here
  • Locked Locked
Related
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Vulnerabilities in VisiBroker 8.5 SP7

Gabor Toth

Hello,

One of our vulnerability scanner reported the following vulnerable sub-3PPs in Visibroker:

CVE-2021-33813 – This is a JDOM vulnerability

CVE-2020-10683 – DOM4J vulnerability

CVE-2019-0227 – Apache Axis vulnerability

VisiBroker uses these FOSSs, so we need to know if the vulnerabilities are valid in context of VisiBroker.

Thanks,

Gabor

  • 0  

    Hi Gabor,

    CVE-2021-33813 -

    An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

          VisiBroker does not use SAX/JDOM to process HTTP traffic, not a vulnerability in VB 8.5.7

    CVE-2020-10683

    dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
          VisiBroker does not use Dom4j anywhere in the product. Not a vulnerability in VB 8.5.7

    CVE-2019-0227

    A Server Side Request Forgery (SSRF) vulnerability affected the Apache Axis 1.4 distribution that was last released in 2006. Security and bug commits commits continue in the projects Axis 1.x Subversion repository, legacy users are encouraged to build from source. The successor to Axis 1.x is Axis2, the latest version is 1.7.9 and is not vulnerable to this issue.
         VisiBroker does not use Axis for any basic CORBA iiop communications (standard CORBA) in Java or C++.  However the Axis C++ implementation in VisiBroker comes with the infrastructure for a HTTP/SOAP listener (internally Apache Axis Technlogy), which is by default turned off.  So by default VisiBroker 8.5.7 is not vulnerable. 

    Cheers,

    -Scott

  • 0   in reply to scott_kay

    Hi Gabor,

        If you need more information on any of these or other CVE's, please open a support case with Micro Focus support to discuss the issues in more detail. 

    Cheers,

    -Scott

Resources

Support
Documentation
Learning Services
Partner Programs
Privacy
Compliance
Help
Company
Privacy Policy
Terms of Use
Accessibility
Anti-Slavery Statement
Support
Contact Us
Careers
Code of Business Conduct and Ethics
The opinions expressed above are the personal opinions of the authors, not of OpenText. By using this site, you accept the Terms of Use. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.), Hewlett Packard Enterprise Company, or Micro Focus. As of January 31, 2023, the Material is now offered by OpenText, a separately owned and operated company. Any reference to the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks is historical in nature and the HP, Hewlett Packard Enterprise/HPE, and Micro Focus marks are the property of their respective owners.