Bug 1000186 (CVE-2013-4152)

Summary: CVE-2013-4152 Spring Framework: XML External Entity (XXE) injection flaw
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, chazlett, djorm, dmcphers, jdetiber, jialiu, lmeyer, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Spring Framework 3.2.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-04 22:44:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1000900, 1000901, 1000902, 1061891    
Bug Blocks: 1000188, 1004652, 1026176, 1059975    

Description Vincent Danen 2013-08-22 21:52:38 UTC 
It was reported [1] that the Spring Framework suffered from several XML External Entity (XXE) flaws:

Versions Affected:
- 3.0.0 to 3.2.3 (Spring OXM)
- 3.2.0 to 3.2.3 (Spring MVC)
- 4.0.0.M1 (Spring OXM)
- 4.0.0.M1-4.0.0.M2 (Spring MVC)
- Earlier unsupported versions may also be affected

Description:
The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. 
There are four possible source implementations passed to the unmarshaller:
- DOMSource
- StAXSource
- SAXSource
- StreamSource
For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE.
For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting 
against XXE.
For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this 
vulnerability.
The issue was resolved by disabling external entity processing by default and adding an option to enable it for those 
users that need to use this feature when processing XML from a trusted source.

It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory 
without disabling external entity resolution. External entity resolution has been disabled in this case.


Mitigation:
Users of affected versions should apply the following mitigation:
- Users of 3.x should upgrade to 3.2.4 or later
- Users of 4.x should upgrade to 4.0.0.RC1 or later once released
Note the Spring OXM issue is fixed in 4.0.0.M2

[1] http://seclists.org/bugtraq/2013/Aug/154


External References:

http://www.gopivotal.com/security/cve-2013-4152
https://github.com/SpringSource/spring-framework/pull/317
https://jira.springsource.org/browse/SPR-10806
Comment 4 Vincent Danen 2013-11-02 16:32:55 UTC 
Further information on this was recently posted: http://seclists.org/fulldisclosure/2013/Nov/14
Comment 5 Vincent Danen 2014-01-23 22:04:25 UTC 
This issue has been split, MITRE has provided the following guidance on CVE names:

Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4152 to
the following vulnerability:

Name: CVE-2013-4152
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4152
Assigned: 20130612
Reference: http://seclists.org/bugtraq/2013/Aug/154
Reference: http://seclists.org/fulldisclosure/2013/Nov/14
Reference: http://www.gopivotal.com/security/cve-2013-4152
Reference: https://github.com/spring-projects/spring-framework/pull/317/files
Reference: https://jira.springsource.org/browse/SPR-10806

The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1,
when using the JAXB marshaller, does not disable entity resolution,
which allows context-dependent attackers to read arbitrary files,
cause a denial of service, and conduct CSRF attacks via an XML
external entity declaration in conjunction with an entity reference in
a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource,
aka an XML External Entity (XXE) issue.



Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7315 to
the following vulnerability:

Name: CVE-2013-7315
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7315
Assigned: 20140123
Reference: http://seclists.org/bugtraq/2013/Aug/154
Reference: http://seclists.org/fulldisclosure/2013/Nov/14
Reference: http://www.gopivotal.com/security/cve-2013-4152
Reference: https://jira.springsource.org/browse/SPR-10806

The Spring MVC in Spring Framework 3.2.x before 3.2.4 and 4.0.0.M1 through
4.0.0.M2 does not disable external entity resolution for the StAX
XMLInputFactory, which allows context-dependent attackers to read
arbitrary files, cause a denial of service, and conduct CSRF attacks
via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and
a different vulnerability than CVE-2013-4152.  NOTE: this issue was
SPLIT from CVE-2013-4152 due to different affected versions.
Comment 7 errata-xmlrpc 2014-02-25 16:42:12 UTC 
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
Comment 8 errata-xmlrpc 2014-03-03 18:26:34 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 2.0

Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html
Comment 9 errata-xmlrpc 2014-03-05 19:05:55 UTC 
This issue has been addressed in following products:

  RHEL 6 Version of OpenShift Enterprise 1.2

Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html
Comment 11 errata-xmlrpc 2014-04-14 13:48:50 UTC 
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 12 Chess Hazlett 2014-04-15 02:32:14 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html