UIMA project logo
Security Reports
Apache UIMA

Search the site

 Security Update List by CVEs

Here are the known Security Vulnerabilities for Apache UIMA, listed by CVE number.

  • CVE-2017-15691: Apache UIMA XML external entity expansion (XXE) attack exposure 
    
    Severity: Important  
    
    Vendor:
    The Apache Software Foundation
    
    Versions Affected:
      - uimaj 2.x.x releases prior to 2.10.2
      - uimaj 3.0.0 releases prior to 3.0.0-beta
      - uima-as releases prior to 2.10.2
      - uimaFIT releases prior to 2.4.0
      - uimaDUCC releases prior to 2.2.2
    
    Description.
    The details of this vulnerability were reported to the Apache UIMA Private
    mailing list.
    
    This  vulnerability relates to an XML external entity expansion (XXE) capability
    of various XML parsers. See
       https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
    for more details.
    
    UIMA as part of its configuration and operation may read XML from various
    sources, which could be tainted in ways to cause inadvertent disclosure of local
    files or other internal content.
    
    Mitigation:
    Users are advised to upgrade these UIMA components to the following levels or later:
      - uimaj: 2.x.x upgrade to 2.10.2 or later
      - uimaj: 3.x.x upgrade to 3.0.0 or later
      - uima-as: upgrade to 2.10.2 or later
      - uimaFIT: upgrade to 2.4.0 or later
      - uimaDUCC: upgrade to 2.2.2 or later
    
    Credit: Joern Kottmann
    

 Reporting New Security Problems with Apache UIMA

We strongly encourage people to report new security problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.

Please see the page of the AFS Security Team for further information and contact information.

The Security Team cannot accept regular bug reports or other queries; please use the regular UIMA mailing lists for those.

 Security Standards

Apache UIMA vulnerabilities are labeled with CVE (Common Vulnerabilities and Exposures) identifiers.