Bug 1225252 (CVE-2015-3208)

Summary: CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
Product: [Other] Security Response Reporter: Fabio Olive Leite <fleite>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, apintea, bcourt, bkearney, bkundal, bmaxwell, cbillett, cdewolf, chazlett, cpelland, cperry, csuconic, csutherl, dandread, darran.lofthouse, dimitris, dosoudil, ecottom, fgavrilo, fleite, hghasemb, jason.greene, jawilson, jmatthew, jondruse, jshepherd, kseifried, lgao, mmccune, mstead, myarboro, ohadlevy, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, security-response-team, sstavrev, tjay, tomckay, tsanders, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-06-16 04:50:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1478549, 1478550, 1478551, 1545359    
Bug Blocks: 1225253    

Description Fabio Olive Leite 2015-05-27 00:40:56 UTC 
An XXE vulnerability was reported in the XPath component of HornetQ,
which is present in various middleware products.
Comment 2 Fabio Olive Leite 2015-05-27 02:58:03 UTC 
Acknowledgements:

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.
Comment 5 Kurt Seifried 2015-07-24 04:27:03 UTC 
This issue appears to have been fixed in the following commit:

https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d
Comment 6 Clebert Suconic 2017-08-01 20:36:22 UTC 
There is no release prior to that commit. Why is this being considered a CVE?
Comment 7 Clebert Suconic 2017-08-01 20:42:20 UTC 
There has never been a release of Artemis before that commit. is there any way to challenge the CVE?
Comment 8 Fabio Olive Leite 2017-08-03 20:27:21 UTC 
Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.
Comment 9 Clebert Suconic 2017-08-03 20:48:03 UTC 
In HornetQ.. maybe.. but never in Artemis.


I'm not sure this was an issue with hornetq.. as maybe it wasn't released.
Comment 10 Jason Shepherd 2017-08-03 23:08:05 UTC 
Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?
Comment 11 Kurt Seifried 2017-08-04 18:59:06 UTC 
Created hornetq tracking bugs for this issue:

Affects: fedora-all [bug 1478551]
Comment 13 errata-xmlrpc 2018-10-16 15:18:59 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 14 ecottom 2021-01-15 15:27:50 UTC 
(In reply to Clebert Suconic from comment #7)
> There has never been a release of Artemis before that commit. is there any
> way to challenge the CVE?

https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_to_correct_assignment_issues_update_cve_entries

https://cve.mitre.org/about/documents.html
CNA Processes
English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k
Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx