Subramanian S

**Name of the Vulnerable Software and Affected Versions** Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 **Description** The `DictionaryEntryPersistor` class initializes a static `SAXParserFactory` without enabling `FEATURE SECURE PROCESSING` or disabling DTD processing. When the `create(InputStream, EntryInserter)` function is invoked, external entity resolution and DOCTYPE declarations remain enabled. An attacker providing a crafted dictionary file containing a malicious DOCTYPE declaration can trigger local file disclosure via `file://` entity references or server-side request forgery (SSRF)—a technique where the attacker forces the server to make requests to an unintended location—via `http://` entity references during SAX parsing. The `Dictionary(InputStream)` constructor, which is the documented API for loading user-supplied dictionaries, delegates directly to this method. **Recommendations** Upgrade to version 2.5.9 for 2.x users. Upgrade to version 3.0.0-M3 for 3.x users. Ensure all dictionary files are sourced from trusted origins. Implement input validation to reject any XML containing a DOCTYPE declaration before it reaches the `Dictionary(InputStream)` constructor.

**Name of the Vulnerable Software and Affected Versions** Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 **Description** The `ExtensionLoader.instantiateExtension(Class, String)` function loads a class by its fully-qualified name using `Class.forName()` and invokes its no-arg constructor, with the class name sourced from the `manifest.properties` entry of a model archive. Because `Class.forName()` executes the target class's static initializer before the `isAssignableFrom` type check occurs, an attacker providing a crafted model archive can trigger the static initializer of any class on the classpath. This can lead to arbitrary class instantiation if classes with side effects in their static initializers (such as JNDI lookups, outbound network I/O, or filesystem access) are present. Additionally, a narrower vector exists where a malicious manifest can force the execution of no-arg constructors for legitimate `BaseToolFactory` or `ArtifactSerializer` subclasses that have side-effecting constructors. **Recommendations** Upgrade to version 2.5.9 for 2.x users. Upgrade to version 3.0.0-M3 for 3.x users. Ensure all model files are sourced from trusted origins. Audit the classpath for classes with side-effecting static initializers or constructors, specifically those performing JNDI lookups, network requests, or filesystem operations during initialization.

**Name of the Vulnerable Software and Affected Versions** Apache OpenNLP versions prior to 2.5.9 Apache OpenNLP versions prior to 3.0.0-M3 **Description** An OutOfMemory (OOM) Denial of Service exists in the `AbstractModelReader` class. The methods `getOutcomes()`, `getOutcomePatterns()`, and `getPredicates()` read a 32-bit signed integer count from a binary model stream and use it for array allocation without validating if the value is non-negative or within reasonable bounds. An attacker can provide a crafted .bin model file with a count field set to a very large value, such as `Integer.MAX VALUE`, to exhaust the available heap and trigger an `OutOfMemoryError` during deserialization. This allows a small malicious file to crash the Java Virtual Machine (JVM) of any process loading model files from untrusted or semi-trusted origins. **Recommendations** Upgrade to version 2.5.9 for 2.x users. Upgrade to version 3.0.0-M3 for 3.x users. Treat all .bin model files as untrusted input and avoid loading models from end users or third-party repositories without integrity checks. For deployments requiring more than 10,000,000 entries, set the `OPENNLP MAX ENTRIES` system property to the desired positive integer at JVM startup.

**Name of the Vulnerable Software and Affected Versions** VMware vRealize Log Insight versions prior to 8.8.2 **Description** The issue is related to a stored cross-site scripting vulnerability due to improper input sanitization in configurations. This could allow a remote attacker to perform a cross-site scripting attack. **Recommendations** For versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to configurations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** VMware vRealize Log Insight versions prior to 8.8.2 **Description** The issue is related to a stored cross-site scripting vulnerability due to improper input sanitization in alerts, which can allow a remote attacker to conduct cross-site scripting attacks. This is caused by a lack of protection of the web page structure. **Recommendations** For versions prior to 8.8.2, update to version 8.8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to alerts to minimize the risk of exploitation.