Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    CVE-2023-34623

    Hi Isomorphic,

    SmartGWT lib dependency jtidy-r938.jar is getting flag under CVE-2023-34623.

    "An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies."

    https://nvd.nist.gov/vuln/detail/CVE-2023-34623

    Do you have any recommendations pertaining to this?

    Thank you

    #2
    The jtidy project moved from https://sourceforge.net/projects/jtidy/ to https://github.com/jtidy/jtidy

    JTidy was initially written by Andy Quick. The project has been maintained at sourceforge.net by Fabrizio Giustina from 2004 to 2010. Since the JTidy project on SourceForge.net seemed to fall into disrepair years ago and had not been updated for years. A few had forked it on Github. William L. Thomson Jr. came along and created a fork of others forks with a tag for his packaging needs as a dependency for JMeter. Then another came along, Dell Green who noticed some issues, tests failing, and undertook fixing both.

    Since the code belonged to neither, William decided to create a JTidy organization and revive the project via community support. Which you are welcome to join in. Eventually this should become the official new home for JTidy.

    Thanks to all past authors and developers. Those of which who could be found on Github have been invited to join this project. Along with those that this repository was forked from.
    The release number went from r938 to 1.0.1, and so on.

    While I could not find a statement indicating 100% compatibility, I could also not find an indication that it was not compatible.

    Do you know if we can use the following as a drop-in replacement?

    Code:
    <dependency>
        <groupId>com.github.jtidy</groupId>
        <artifactId>jtidy</artifactId>
        <version>1.0.5</version>
    </dependency>

    Comment


      #3
      We have not yet checked if this new version is 100% compatible, but we'll take a look.

      Just to give some scope to this vulnerability, an attacker would have to have the ability to log into your system and request a PDF export, and then, at most, this would make the server slightly slower (because a correctly implemented server would just kill the hung thread after a bit).

      So, in your case (SaaS) you'd have a specific user login that tried to slow down the server and in the bizarre scenario that one of your own customers is trying to bring your service down (unsuccessfully) you could cut that customer or account off.

      We'll check on the mitigation, but we just wanted to make it clear: security-wise, this is a non-issue for any system that requires logins.



      Comment


        #4
        It looks like this does work as a drop-in replacement.

        You can use it with Maven like so:

        Code:
        <dependency>
            <groupId>com.isomorphic.smartclient.enterprise</groupId>
            <artifactId>isomorphic-content-export</artifactId>
            <version>${smartclient.version}</version>
            <exclusions>
                <exclusion>
                    <groupId>net.sf.jtidy</groupId>
                    <artifactId>jtidy</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.github.jtidy</groupId>
            <artifactId>jtidy</artifactId>
            <version>1.0.5</version>
        </dependency>

        Comment


          #5
          Also note that we've updated the framework dependency, so you won't need the explicit exclusion & replacement as in the example above, effective with the 13.-d20230930 build.

          Comment


            #6
            Thank you,
            Are we able to use jtidy 1.0.5 as a drop in replacement for 12.1p?
            Regards

            Comment


              #7
              Yes, it seems so.

              Comment

              Working...
              X