Security Update


Via dependency scan, it has been determined that Broadleaf Microservices can be vulnerable to CVE-2021-42575 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42575) under some circumstances. This document provides guidance on how to diagnose if your implementation of Broadleaf Microservices is vulnerable and how to patch your implementation for immediate remediation.


Google describes the nature of the vulnerability here: https://docs.google.com/document/d/11SoX296sMS0XoQiQbpxc5pNxSdbJKDJkm5BDv0zrX50/edit. Specifically, HTML Sanitizer configurations that allow `select`, `style`, and `option` HTML elements are considered vulnerable. Out-of-the-box, Broadleaf Microservices does not allow any of these elements and the default Broadleaf configuration is not considered vulnerable.


How To Diagnose If Your Implementation Is Vulnerable


Review your customizations in your Spring Configuration classes. Determine if you have declared an override of the XSSRequestProcessingService component (bean id: xssRequestProcessingService). Moreover, if you have such a customization, review the list of allowed elements you’re passing to any PolicyFactory construction. Any inclusion of select, style, or option elements will cause exposure of the vulnerability.


How To Remediate


In the root pom.xml file of your project, you can declare a dependency version change according to the recommendations from the library provider. Either create a `dependencies` section in the pom file, or introduce the dependency change to an existing `dependencies` section.


<dependencies>

...

<dependency>

<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>

<artifactId>owasp-java-html-sanitizer</artifactId>

<version>20211018.2</version>

</dependency>

</dependencies>


Broadleaf recommends you validate the change in a test environment before deploying to production. You should confirm your build contains the updated version of the owasp-java-html-sanitizer jar and that the Broadleaf admin tool works as expected for normal form submissions.