Bug 1058582 (CVE-2014-1202)

Summary: CVE-2014-1202 SoapUI: remote code execution when processing WSDL
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jbpapp-maint, mjc, soa-p-jira
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-28 05:40:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jorm 2014-01-28 05:34:26 UTC 
It was found that SoapUI would expand properties in WSDL files. A remote attacker, able to supply a WSDL file that would be processed by SoapUI, could supply arbitrary Groovy code in the property of a WSDL element. This property would be expanded, and the Groovy code executed, when the SoapUI client processed the WSDL.
Comment 1 David Jorm 2014-01-28 05:36:36 UTC 
External References:

http://baraktawily.blogspot.com/2014/01/soapui-code-execution-vulnerability-cve.html

Upstream patch commit:

https://github.com/SmartBear/soapui/commit/6373165649ad74257493c69dbc0569caa7e6b4a6
Comment 2 David Jorm 2014-01-28 05:40:54 UTC 
Statement:

Not affected. Red Hat JBoss SOA Platform 4.3 and 5.3 support the SOAPClient action, which will use the SoapUI library to make calls to external web services. However, these products use SoapUI 1.7.1, while the vulnerable property expansion feature was not introduced until SoapUI 2.5. Therefore no Red Hat products are affected by this flaw.