Bug 1544034 (CVE-2018-1307)

Summary: CVE-2018-1307 juddi-client: XML Entity Expansion in WADL2Java or WSDL2Java classes
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, apintea, bkundal, bmaxwell, cdewolf, chazlett, csutherl, darran.lofthouse, dimitris, dosoudil, fgavrilo, gvarsami, hghasemb, jawilson, jcoleman, jondruse, jshepherd, kconner, krathod, ldimaggi, lgao, loleary, myarboro, nwallace, pavelp, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, rwagner, spinder, sstavrev, tcunning, theute, tkirby, twalsh, vtunka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: juddi-client 3.3.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-22 23:13:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1544035    

Description Laura Pardo 2018-02-09 22:43:06 UTC 
A flaw was found in Apache jUDDI 3.2 through 3.3.4, if using the WADL2Java or WSDL2Java classes, which parse a local or remote XML document and then mediates the data structures into UDDI data structures, there are little protections present against entity expansion and DTD type of attacks. 

References:
http://juddi.apache.org/security.html
https://issues.apache.org/jira/browse/JUDDI-987

Patch:
https://git-wip-us.apache.org/repos/asf?p=juddi.git;h=248b39c
Comment 2 Chess Hazlett 2018-04-22 23:14:06 UTC 
Statement:

No Red Hat products are affected by CVE-2018-1307.