|Summary:||CVE-2015-3208 hornetq: XXE/SSRF in XPath selector|
|Product:||[Other] Security Response||Reporter:||Fabio Olive Leite <fleite>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED WONTFIX||QA Contact:|
|Version:||unspecified||CC:||aileenc, apintea, bcourt, bkearney, bkundal, bmaxwell, cbillett, cdewolf, chazlett, cpelland, cperry, csuconic, csutherl, dandread, darran.lofthouse, dimitris, dosoudil, ecottom, fgavrilo, fleite, hghasemb, jason.greene, jawilson, jmatthew, jondruse, jshepherd, kseifried, lgao, mmccune, mstead, myarboro, ohadlevy, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, security-response-team, sstavrev, tjay, tomckay, tsanders, twalsh, vtunka|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2015-06-16 04:50:53 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1478549, 1478550, 1478551, 1545359|
Description Fabio Olive Leite 2015-05-27 00:40:56 UTC
An XXE vulnerability was reported in the XPath component of HornetQ, which is present in various middleware products.
Comment 2 Fabio Olive Leite 2015-05-27 02:58:03 UTC
Acknowledgements: Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.
Comment 5 Kurt Seifried 2015-07-24 04:27:03 UTC
This issue appears to have been fixed in the following commit: https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d
Comment 6 Clebert Suconic 2017-08-01 20:36:22 UTC
There is no release prior to that commit. Why is this being considered a CVE?
Comment 7 Clebert Suconic 2017-08-01 20:42:20 UTC
There has never been a release of Artemis before that commit. is there any way to challenge the CVE?
Comment 8 Fabio Olive Leite 2017-08-03 20:27:21 UTC
Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.
Comment 9 Clebert Suconic 2017-08-03 20:48:03 UTC
In HornetQ.. maybe.. but never in Artemis. I'm not sure this was an issue with hornetq.. as maybe it wasn't released.
Comment 10 Jason Shepherd 2017-08-03 23:08:05 UTC
Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?
Comment 11 Kurt Seifried 2017-08-04 18:59:06 UTC
Created hornetq tracking bugs for this issue: Affects: fedora-all [bug 1478551]
Comment 13 errata-xmlrpc 2018-10-16 15:18:59 UTC
This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927
Comment 14 ecottom 2021-01-15 15:27:50 UTC
(In reply to Clebert Suconic from comment #7) > There has never been a release of Artemis before that commit. is there any > way to challenge the CVE? https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_to_correct_assignment_issues_update_cve_entries https://cve.mitre.org/about/documents.html CNA Processes English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx