search

spring-attic / spring-security-saml

SAML extension for the Spring Security project
Other
419 stars 484 forks source link

Update esapi version for CVE-2022-23457 #525

Open OrangeDog opened 2 years ago

OrangeDog commented 2 years ago

2.3.0.0 has the fix, but also a breaking change. To get it to work, you need to bypass opensaml's attempt to configure it. Here is one method:

  1. Set the system property org.owasp.esapi.SecurityConfiguration to org.owasp.esapi.reference.DefaultSecurityConfiguration.
  2. Create the file ESAPI.properties (in one of various possible locations, including working directory and classpath). The minimal required content is below.
ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory
Logger.ApplicationName=
Logger.LogEncodingRequired=false
Logger.LogApplicationName=false
Logger.LogServerIP=false
Logger.UserInfo=false
Logger.ClientInfo=false

Or set any other implementation of org.owasp.esapi.SecurityConfiguration to provide the necessary properties.

benatwork99 commented 1 year ago

Thanks!

When you make this change, I think you can also remove the xalan dependency from this project; it seems to have been added to upversion esapi's transitive dependency on xalan, esapi 2.3 no longer has a xalan dependency, so after this esapi update this project brings xalan in unnecessarily - which may trigger a different CVE warning in scans.

natrajms commented 1 year ago

CVE-2022-23457 is having 9.8 CRITICAL severity. These changes should be considered.

OrangeDog commented 1 year ago

@natrajms this project is unmaintained, so they're not going to do it. I've left instructions here for how to do it yourself.