Bug 1203341 (CVE-2015-0264)

Summary: CVE-2015-0264 Camel: XXE via XPath expression evaluation
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acai, aileenc, alazarot, bleanhar, ccoleman, chazlett, dmcphers, etirelli, gvarsami, jcoleman, jialiu, jkeck, jokerman, kconner, ldimaggi, lmeyer, lpetrovi, mbaluch, mmccomas, mwinkler, nwallace, rrajasek, rwagner, rzhang, soa-p-jira, tcunning, tkirby, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Camel 2.13.4, Camel 2.14.2 Doc Type: Bug Fix
Doc Text:
It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:40:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1217645, 1217646, 1217647, 1217648, 1217649, 1217650, 1217651, 1217652, 1217653, 1217654    
Bug Blocks: 1203345, 1222987, 1244364, 1288332, 1385169    

Description Martin Prpič 2015-03-18 15:44:52 UTC 
It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Upstream patch:

https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=1df559649a96a1ca0368373387e542f46e4820da

External References:

https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc
Comment 6 errata-xmlrpc 2015-06-01 17:08:14 UTC 
This issue has been addressed in the following products:

  JBoss Fuse/A-MQ 6.1.0

Via RHSA-2015:1041 https://rhn.redhat.com/errata/RHSA-2015-1041.html
Comment 7 errata-xmlrpc 2015-08-03 19:41:20 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.2

Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html
Comment 8 errata-xmlrpc 2015-08-03 19:41:47 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.2

Via RHSA-2015:1538 https://rhn.redhat.com/errata/RHSA-2015-1538.html
Comment 9 errata-xmlrpc 2015-12-07 20:51:43 UTC 
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.2.1

Via RHSA-2015:2558 https://rhn.redhat.com/errata/RHSA-2015-2558.html