UIMA project logo
Security Reports
 Apache UIMA
Search the site

General
Home
Downloads
Documentation
News
Publications

Issue tracker
Wiki

Powered By UIMA

Community
Get Involved
Mailing Lists
Contribution Policies
FAQ
Project Guidelines

Components & Tools
Annotators
Tools & Servers
Addons and Sandbox
UIMA Ruta
uimaFIT
External Resources

Development
Quick Start: building
Building from Source
One-time setups
Source Code
Doing a UIMA release
Doing a CVE (Apache)
Eclipse Update Sites
GIT
Code Conventions
UIMA Specification (OASIS)
Project Team
Maven Use
Updating this Website

Events and Conferences
COLING 2014
GSCL 2013
IKS 2009
GSCL 2009
LSM 2009
LREC 2008
GLDV 2007

ASF
License
ASF Sponsors
ASF Sponsorship
Security

 Security Update List by CVEs

Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.

  • CVE-2018-8035: Apache UIMA DUCC webserver cross-site scripting (XSS) vulnerability due to unintended execution of user supplied javascript code.

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
  - Apache UIMA DUCC releases including and prior to 2.2.2

Description.
The details of this vulnerability were reported to the Apache UIMA Private mailing list.

This  vulnerability relates to the user's browser processing of DUCC web page input data.

The javascript comprising Apache UIMA DUCC which runs in the user's browser does not sufficiently filter user supplied inputs, which may result in unintended execution of user supplied javascript code.

Mitigation:
Users are advised to upgrade these UIMA components to the following levels:
  - Apache UIMA DUCC: upgrade to 3.0.0 or later

Credit: Marshall Schor 

  • CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure 

Severity: Important  

Vendor:
The Apache Software Foundation

Versions Affected:
  - uimaj 2.x.x releases prior to 2.10.2
  - uimaj 3.0.0 releases prior to 3.0.0-beta
  - uima-as releases prior to 2.10.2
  - uimaFIT releases prior to 2.4.0
  - uimaDUCC releases prior to 2.2.2

Description.
The details of this vulnerability were reported to the Apache UIMA Private
mailing list.

This  vulnerability relates to an XML external entity expansion (XXE) capability
of various XML parsers. See
   https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
for more details.

UIMA as part of its configuration and operation may read XML from various
sources, which could be tainted in ways to cause inadvertent disclosure of local
files or other internal content.

Mitigation:
Users are advised to upgrade these UIMA components to the following levels or later:
  - uimaj: 2.x.x upgrade to 2.10.2 or later
  - uimaj: 3.x.x upgrade to 3.0.0 or later
  - uima-as: upgrade to 2.10.2 or later
  - uimaFIT: upgrade to 2.4.0 or later
  - uimaDUCC: upgrade to 2.2.2 or later

Credit: Joern Kottmann

 Reporting New Security Problems with Apache UIMA

We strongly encourage people to report new security problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.

Please see the page of the AFS Security Team for further information and contact information.

The Security Team cannot accept regular bug reports or other queries; please use the regular UIMA mailing lists for those.

 Security Standards

Apache UIMA vulnerabilities are labeled with CVE (Common Vulnerabilities and Exposures) identifiers.
Home Privacy Policy Copyright © 2006-2024, The Apache Software Foundation.
Apache UIMA, UIMA, the Apache UIMA logo and the Apache Feather logo are trademarks of The Apache Software Foundation.
All other marks mentioned may be trademarks or registered trademarks of their respective owners. 		Contact us