Bug 1045257 (CVE-2013-4517)

Summary: CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdawidow, brms-jira, cdewolf, chazlett, dandread, darran.lofthouse, epp-bugs, fnasser, grocha, hfnukal, huwang, jason.greene, jason.greene, jawilson, jbpapp-maint, jcoleman, jdg-bugs, jpallich, jrusnack, kconner, kejohnso, kkhan, lgao, mjc, mweiler, myarboro, pavelp, pcheung, pgier, pslavice, rhq-maint, rsvoboda, rzhang, soa-p-jira, spinder, theute, tkirby, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xml-security 1.5.6 Doc Type: Bug Fix
Doc Text:
It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-05-01 20:14:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1045275, 1045276, 1045277, 1045278, 1045279, 1045287, 1045288, 1157992, 1161380, 1161381, 1161382, 1161384, 1161385, 1161386, 1161387, 1161388, 1161389, 1161390, 1161391, 1161392, 1161395    
Bug Blocks: 1045272, 1050810, 1055846, 1087103, 1089812, 1102439, 1150823, 1200191, 1210482    

Description Arun Babu Neelicattu 2013-12-20 03:14:01 UTC 
The Apache Santuario XML Security for Java project is vulnerable to a Denial
of Service (DoS) type attack leading to an OutOfMemoryError, which is caused
by allowing Document Type Definitions (DTDs) when applying Transforms.

References:
https://cwiki.apache.org/confluence/download/attachments/27821224/cve-2013-4517.txt.asc
http://svn.apache.org/viewvc?view=revision&revision=1537956
Comment 3 Arun Babu Neelicattu 2013-12-20 05:40:47 UTC 
As per http://coheigea.blogspot.com.au/2013/12/security-advisory-cve-2013-4517-released.html

> This issue is fixed (when secure validation is enabled) in Apache Santuario XML Security for Java 1.5.6. This release is picked up by new releases of Apache WSS4J (1.6.13), and Apache CXF (2.7.8 and 2.6.11).
Comment 10 errata-xmlrpc 2014-02-13 18:38:38 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0172 https://rhn.redhat.com/errata/RHSA-2014-0172.html
Comment 11 errata-xmlrpc 2014-02-13 18:39:50 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0171 https://rhn.redhat.com/errata/RHSA-2014-0171.html
Comment 12 errata-xmlrpc 2014-02-13 18:41:36 UTC 
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0170 https://rhn.redhat.com/errata/RHSA-2014-0170.html
Comment 13 errata-xmlrpc 2014-02-20 17:23:29 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.1

Via RHSA-2014:0195 https://rhn.redhat.com/errata/RHSA-2014-0195.html
Comment 14 Chess Hazlett 2014-04-15 02:39:14 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 15 errata-xmlrpc 2014-05-06 18:02:19 UTC 
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0473 https://rhn.redhat.com/errata/RHSA-2014-0473.html
Comment 16 errata-xmlrpc 2014-05-29 20:29:18 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2014:0582 https://rhn.redhat.com/errata/RHSA-2014-0582.html
Comment 17 Arun Babu Neelicattu 2014-10-28 08:32:32 UTC 
Statement:

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4;  Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 19 Arun Babu Neelicattu 2014-10-28 08:34:16 UTC 
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2013/4517.yaml
Comment 20 Arun Babu Neelicattu 2014-10-28 08:42:23 UTC 
Created xml-security tracking bugs for this issue:

Affects: fedora-all [bug 1157992]
Comment 21 errata-xmlrpc 2014-10-28 15:51:34 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:1725 https://rhn.redhat.com/errata/RHSA-2014-1725.html
Comment 22 errata-xmlrpc 2014-10-28 16:02:11 UTC 
This issue has been addressed in the following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4

Via RHSA-2014:1728 https://rhn.redhat.com/errata/RHSA-2014-1728.html
Comment 23 errata-xmlrpc 2014-10-28 16:02:45 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:1727 https://rhn.redhat.com/errata/RHSA-2014-1727.html
Comment 24 errata-xmlrpc 2014-10-28 16:02:49 UTC 
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4

Via RHSA-2014:1726 https://rhn.redhat.com/errata/RHSA-2014-1726.html
Comment 25 Martin Prpič 2014-10-29 12:28:29 UTC 
IssueDescription:

It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
Comment 26 Fedora Update System 2014-11-07 02:30:00 UTC 
xml-security-1.5.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2014-11-10 06:06:02 UTC 
xml-security-1.5.7-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 34 errata-xmlrpc 2015-03-11 16:52:03 UTC 
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
Comment 35 errata-xmlrpc 2015-04-16 16:03:58 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 36 errata-xmlrpc 2015-04-16 16:08:33 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html