-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 11.0.0, 12.0.0
-
Labels:
-
Environment:Oracle JDK 7,8,9. OpenAM 12.0.x,
-
Sprint:AM Sustaining Sprint 15, AM Sustaining Sprint 16, AM Sustaining Sprint 17, AM Sustaining Sprint 18
-
Support Ticket IDs:
Xerces 2.11 and Xalan 2.7.1 is bundled inside openam.war and used. However since newer JDK 7/8 and later already maintains a private copy and more maintained with security patches, it may be good to consider trimming and remove the Xerces/Xalan dependencies and use JAXP provided by the later JDK.
One of the reasons are the recent Oracle JDK CPU Oct 2015 indicated XML vulnerabilities (like the Hash collision) and it woul seems the fix is not applied to Xerces 2.11 [CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)]. It would be nice to
remove an use the inbuilt JDK (ie: reduce footprint as well as relegated
the XML base stuff back to the JDK core)
- JDK XML CPU 2015 fixed in latest Oct 2015:
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4803
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4893
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4911
Consider (if possible for future):-
a) Remove xerces/xalan dependencies from built
b) Make openam run w/o these libs
- is related to
-
COMMONS-74 Remove XMLUtils StackTrace for ClassNotFoundExceptionn for Xerces
-
- Resolved
-