search cancel

Potential Vulnerability finding

book

Article ID: 201236

calendar_today

Updated On:

Products

CA Application Test Service Virtualization

Issue/Introduction

Seen the vulnerability CVE-2020-14338 with the name Red Hat Wildfly JAXP Component XMLSchemaValidator Class use-grammar-pool-only Implementation XML FIle Handling Validation Process Manipulation.

Red Hat Wildfly contains a flaw in the XMLSchemaValidator class in the JAXP component that is due to the way the use-grammar-pool-only feature is implemented. With a specially crafted XML file, a context-dependent attacker can manipulate the validation process and have an unspecified impact.

Does DevTest utilize this component? 

Cause

Vulnerability

Environment

Devtest 10.6
Component : CA Service Virtualization

Resolution

The DevTest code does not use the classes mentioned in the Vulnerability description however wildfly is used in keycloak.

We are upgrading to keycloak 11.0.1 and it does not have this vulnerability. 

I have checked in 10.6 DevTest and we do not have this vulnerability.

10.3 will be the end of support so soon so we can request customers to upgrade it to the latest version i.e. 10.6.

DevTest 10.3 and 10.5 were checked for this and were found not to have this issue.