CVE-2017-1000190

[julianseeger]

This minio client lib depends directly on org.simpleframework:simple-xml:2.7.1 which has an active CVE: https://nvd.nist.gov/vuln/detail/CVE-2017-1000190 which sounds pretty bad.

It doesn't look like there will be a fix in simple-xml because the maintainers state that it's more of a configuration issue. But forks show that it could at least have a secure default configuration.

As the CVE is of 2017, it doesn't look like it may ever be resolved. I don't know if this minio client uses a secure configuration for simple-xml that mitigates this vulnerability but IMO with this CVE and no action at all of the maintainers, org.simpleframework:simple-xml is dead.

Do we have any chance that this minio client moves away from org.simpleframework:simple-xml:2.7.1?

[harshavardhana]

minio-java will be forking the simple-xml project closing in #886

[Alevsk]

Hi @julianseeger we will discuss this internally and then get back to you

[balamurugana]

How about using simplexml-safe than forking?

[harshavardhana]

How about using simplexml-safe than forking?

We can but it needs to be maintained as per #886 there are no active maintainers for any of the forks, we need to be the active maintainer because it is the core of our functionality.

To alleviate the concerns regarding maintainability we should take over IMHO @balamurugana

[boubech]

Hello,

Even if MinIO Java uses 'simple-xml-safe' (2.7.1), the CVE-2017-1000190 still present in release 7.1.0

Regards,

[balamurugana]

@boubech Can you provide more information how this CVE exhibits with respective code?

[boubech]

When I execute owasp check-dependency
I get this error :

Failed to execute goal org.owasp:dependency-check-maven:5.3.2:check (default) on project XXXXXX
One or more dependencies were identified with vulnerabilities:
simple-xml-safe-2.7.1.jar: CVE-2017-1000190

The dependency generating this error is : com.carrotsearch.thirdparty:simple-xml-safe
I have inserted a entry in my CVE suppressions file to exclude this vulnerability.

Is this a false positive ?

[balamurugana]

The CVE is for SimpleXML not to the project simplexml-safe. Its better to check OWASP why it reports CVE of SimpleXML to simplexml-safe.