Bug 1169553 (CVE-2014-8125)
| Summary: | CVE-2014-8125 jBPM: BPMN2 file processing XXE in Process Execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pavel Polischouk <pavelp> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alazarot, chazlett, etirelli, gvarsami, jcoleman, jolee, jpallich, kconner, kverlaen, ldimaggi, lpetrovi, mbaluch, mswiders, mwinkler, nwallace, rrajasek, rwagner, rzhang, security-response-team, tcunning, tkirby, tsurdilo, vhalbert, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was discovered that the jBPM runtime performed expansion of external parameter entities while executing BPMN2 files. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:36:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1169568, 1169569, 1169570, 1169571, 1169572, 1169573, 1181370, 1181371, 1181372, 1181373, 1181374, 1181375 | ||
| Bug Blocks: | 1169514, 1196295, 1210482, 1385169 | ||
|
Description
Pavel Polischouk
2014-12-02 01:56:11 UTC
Acknowledgements: This issue was discovered by Jeremy Lindop of Red Hat. fixed in drools and jbpm runtime side: drools master: https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3 6.2.x: https://github.com/droolsjbpm/drools/commit/5b850e8c121be994dbbc5ecba3de4e7355ac4331 jbpm master: https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5 6.2.x: https://github.com/droolsjbpm/jbpm/commit/4d0dc877bc182cb8cc8b07bc95e9946d9aeb028e Statement: Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html |