Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-7320

Consider using JDK JAXP/XML instead of Xerces/Xalan to keep up with JDK fixes

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 11.0.0, 12.0.0
    • Fix Version/s: 12.0.3, 13.5.0
    • Component/s: build, other
    • Environment:
      Oracle JDK 7,8,9. OpenAM 12.0.x,
    • Sprint:
      AM Sustaining Sprint 15, AM Sustaining Sprint 16, AM Sustaining Sprint 17, AM Sustaining Sprint 18
    • Support Ticket IDs:

      Description

      Xerces 2.11 and Xalan 2.7.1 is bundled inside openam.war and used. However since newer JDK 7/8 and later already maintains a private copy and more maintained with security patches, it may be good to consider trimming and remove the Xerces/Xalan dependencies and use JAXP provided by the later JDK.

      One of the reasons are the recent Oracle JDK CPU Oct 2015 indicated XML vulnerabilities (like the Hash collision) and it woul seems the fix is not applied to Xerces 2.11 [CVE-2015-4803 OpenJDK: inefficient use of hash tables and lists during XML parsing (JAXP, 8068842)]. It would be nice to
      remove an use the inbuilt JDK (ie: reduce footprint as well as relegated
      the XML base stuff back to the JDK core)

      • JDK XML CPU 2015 fixed in latest Oct 2015:

      Consider (if possible for future):-
      a) Remove xerces/xalan dependencies from built
      b) Make openam run w/o these libs

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                chee-weng.chea C-Weng C
                Reporter:
                chee-weng.chea C-Weng C
                QA Assignee:
                Richard Hruza
              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: