Bug 1061509 (CVE-2013-7315)

Summary: CVE-2013-7315 Spring Framework: XML External Entity (XXE) injection flaw
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aneelica, mjc, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Spring Framework 3.2.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-05 02:01:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Jorm 2014-02-05 01:49:03 UTC 
It was found that Spring MVC processed user-provided XML with JAXB, in combination with a StAX XMLInputFactory, without disabling external entity resolution. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. This flaw affects Spring Framework 3.2.x before 3.2.4 and 4.0.0.M1 through 4.0.0.M2.
Comment 1 David Jorm 2014-02-05 02:01:44 UTC 
Upstream Patch:

https://jira.springsource.org/secure/attachment/21319/Jaxb2CollectionHttpMessageConverter.patch

Statement:

Not affected. Spring MVC as shipped in various Red Hat products does not include the vulnerable org.springframework.http.converter.xml.Jaxb2CollectionHttpMessageConverter class.