Bug 1110110 (CVE-2014-0225)
| Summary: | CVE-2014-0225 Spring Framework: Information disclosure via SSRF | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | acathrow, agrimm, aileenc, alazarot, bazulay, bdawidow, bleanhar, bmcclain, ccoleman, chazlett, cpelland, dandread, dblechte, dmcphers, ecohen, epp-bugs, etirelli, fnasser, gklein, grocha, gvarsami, hfnukal, huwang, idith, iheim, jbpapp-maint, jcoleman, jdetiber, jialiu, jkeck, joelsmith, jokerman, jpallich, jrusnack, juan.hernandez, kconner, kseifried, ldimaggi, lgao, lmeyer, lpetrovi, lsurette, mbaluch, michal.skrivanek, mmccomas, mmcgrath, msrb, mweiler, mwinkler, myarboro, nobody, nwallace, pavelp, rbalakri, Rhev-m-bugs, rrajasek, rwagner, rzhang, soa-p-jira, tcunning, theute, tkirby, weli, yeylon, ylavi |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | spring-webmvc-3.2.9.RELEASE, spring-webmvc-4.0.5.RELEASE, spring-oxm-3.2.9.RELEASE, spring-oxm-4.0.5.RELEASE | Doc Type: | Bug Fix |
| Doc Text: |
It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-01-21 20:54:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1110112, 1110113, 1110114, 1110115, 1110116, 1110327, 1110328, 1110329, 1110330, 1110331, 1110332, 1110333, 1166968, 1166969, 1166970 | ||
| Bug Blocks: | 1059445, 1110111 | ||
|
Description
Arun Babu Neelicattu
2014-06-17 05:05:53 UTC
Added to Victims CVE DB [1]. [1] https://github.com/victims/victims-cve-db/blob/master/database/java/2014/0225.yaml Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1110333] Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift. IssueDescription: It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers. This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html springframework-3.1.4-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This bug is part of Product Security work flow and should only be closed by Product Security engineers. |