The Orekit team has released version 7.2.1, 8.0.1, and 9.0.1 of Orekit to fix a security vulnerability.
Orekit versions 5.0, 6.0, 6.1, 7.0, 7.1, 7.2, 8.0, and 9.0 are vulnerable to a XML External Entity (XXE) attack when loading XML format Earth Orientation Parameters (EOP) or Tracking Data Messages (TDM) from an untrusted source, possibly resulting in denial of service or data theft. For more on the mechanism and possible exploitations of XXEs see https://www.vsecurity.com//download/papers/XMLDTDEntityAttacks.pdf.
The Orekit team recommends that all users update to one of the newly released versions as quickly as possible.
Security fix versions were not released for the 5.x and 6.x series because these versions are considered to be obsolete. If you cannot upgrade from these obsolete version please email the Orekit developers (orekit-developers@orekit.org) to discuss creating a security fix release.
A CVE number has been requested.
News summary