Bug 1112987 (CVE-2014-3530)

Summary: CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage
Product: [Other] Security Response Reporter: Arun Babu Neelicattu <aneelica>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: anmiller, batkisso, bdawidow, cdewolf, chazlett, dandread, darran.lofthouse, fnasser, grocha, hfnukal, huwang, jawilson, jcacek, jcoleman, jpallich, jrusnack, kconner, kejohnso, lgao, mweiler, myarboro, pavelp, pgier, pskopek, pslavice, rsvoboda, security-response-team, slaskawi, spinder, theute, tkirby, ttarrant, vtunka, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20140715,reported=20140624,source=upstream,cvss2=7.5/AV:N/AC:L/Au:N/C:P/I:P/A:P,cwe=CWE-611,jboss/others=notaffected,bpms-6/picketlink=affected,brms-6/picketlink=affected,jdg-6/picketlink=affected,jdv-6/picketlink=affected,eap-5/picketlink=affected,eap-6/picketlink=affected,brms-5/picketlink=wontfix,epp-5/picketlink=affected,soap-5/picketlink=affected,jboss/ewp-5=affected,fsw-6/picketlink=affected,jon-3/picketlink=affected,jpp-6/picketlink=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-10 22:00:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1114503, 1114504, 1114505, 1114506, 1114507, 1114508, 1114509, 1114510, 1114511, 1114512, 1114513, 1114514, 1114515, 1114516, 1114517, 1114523, 1114524, 1114525, 1114532, 1114533, 1114534, 1114536, 1114537, 1160694    
Bug Blocks: 1082938, 1093885, 1113216, 1116052, 1116289, 1119792, 1127901, 1181883, 1182400, 1182419, 1200191, 1244362, 1244363, 1551389    

Description Arun Babu Neelicattu 2014-06-25 08:26:50 UTC
It was found that the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method implementation provided a DocumentBuilderFactory that will expand entity references. This could be used by a remote, unauthenticated attacker to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 Arun Babu Neelicattu 2014-06-25 08:29:32 UTC
Upstream Bug: [jira PLINK-509]

Comment 5 Arun Babu Neelicattu 2014-06-30 09:57:50 UTC
Statement:

This flaw could allow remote, unauthenticated attackers to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. All systems hosting PicketLink applications using SAML Identity Providers and Service Providers may be affected. It is strongly advised that anyone running an affected system applies patches to address this flaw.

Comment 6 Martin Prpič 2014-07-08 08:53:06 UTC
Acknowledgments:

Red Hat would like to thank Alexander Papadakis for reporting this issue.

Comment 7 Martin Prpič 2014-07-09 09:51:01 UTC
IssueDescription:

It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 8 errata-xmlrpc 2014-07-15 17:13:48 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0883 https://rhn.redhat.com/errata/RHSA-2014-0883.html

Comment 9 errata-xmlrpc 2014-07-15 17:24:32 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2014:0885 https://rhn.redhat.com/errata/RHSA-2014-0885.html

Comment 10 errata-xmlrpc 2014-07-16 00:07:11 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0884 https://rhn.redhat.com/errata/RHSA-2014-0884.html

Comment 11 errata-xmlrpc 2014-07-16 00:17:21 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0886 https://rhn.redhat.com/errata/RHSA-2014-0886.html

Comment 12 errata-xmlrpc 2014-07-16 18:13:04 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2014:0898 https://rhn.redhat.com/errata/RHSA-2014-0898.html

Comment 13 errata-xmlrpc 2014-07-16 18:13:38 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:0897 https://rhn.redhat.com/errata/RHSA-2014-0897.html

Comment 14 Arun Babu Neelicattu 2014-07-20 22:49:01 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3530.yaml

Comment 15 errata-xmlrpc 2014-07-21 18:35:45 UTC
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html

Comment 20 errata-xmlrpc 2015-01-27 16:23:07 UTC
This issue has been addressed in the following products:

  JBoss Data Grid 6.4.0

Via RHSA-2015:0091 https://rhn.redhat.com/errata/RHSA-2015-0091.html

Comment 22 errata-xmlrpc 2015-02-17 22:29:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 23 errata-xmlrpc 2015-02-17 22:33:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 25 errata-xmlrpc 2015-03-11 16:53:50 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 26 errata-xmlrpc 2015-03-24 21:07:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 27 errata-xmlrpc 2015-03-31 17:01:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 28 errata-xmlrpc 2015-05-14 15:21:35 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 29 errata-xmlrpc 2015-10-12 15:28:31 UTC
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html