Snyk and Trivy reports two vulnerabilities in the CXF version Oxalis-AS4 uses

[post-svejk]

See for example:

Sven-Jrgens-MacBook-Pro:Oxalis-AS4 svejk$ snyk test

Testing /Users/svejk/src/Oxalis-AS4...

Tested 80 dependencies for known issues, found 4 issues, 4 vulnerable paths.


Issues to fix by upgrading:

  Upgrade org.apache.cxf:[email protected] to org.apache.cxf:[email protected] to fix
  ✗ Server-side Request Forgery (SSRF) (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-3168315] in org.apache.cxf:[email protected]
    introduced by org.apache.cxf:[email protected]

  Upgrade org.apache.cxf:[email protected] to org.apache.cxf:[email protected] to fix
  ✗ Information Exposure (new) [High Severity][https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHECXF-3168313] in org.apache.cxf:[email protected]
    introduced by org.apache.cxf:[email protected]

  Upgrade org.apache.wss4j:[email protected] to org.apache.wss4j:[email protected] to fix
  ✗ Denial of Service (DoS) [Medium Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-3091135] in com.fasterxml.woodstox:[email protected]
    introduced by org.apache.wss4j:[email protected] > org.apache.santuario:[email protected] > com.fasterxml.woodstox:[email protected]
  ✗ XML External Entity (XXE) Injection [Critical Severity][https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLWOODSTOX-2928754] in com.fasterxml.woodstox:[email protected]
    introduced by org.apache.wss4j:[email protected] > org.apache.santuario:[email protected] > com.fasterxml.woodstox:[email protected]

I made a draft attempt to solve the issues by upgrading CXF and WSS4J. See the PR:
#197

[post-svejk]

Thanks for the quick response, @aaron-kumar! Dealing with the signature algorithm was really what I was missing in my draft PR, so it is no longer needed. However, I ran into new signature algorithm problems when testing this release. See next issue.