Bug 1578902 (CVE-2018-1259)

Summary: CVE-2018-1259 spring-data-commons: XXE with Spring Data’s XMLBeam integration
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: claprun, dffrench, drusso, java-sig-commits, jmadigan, jshepherd, lgriffin, ngough, puntogil, pwright, rrajasek, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-data-commons 1.13.12, spring-data-commons 2.0.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:23:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1578939    
Bug Blocks: 1578941    

Description Laura Pardo 2018-05-16 15:00:39 UTC 
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.


References:
https://pivotal.io/security/cve-2018-1259
https://jira.spring.io/browse/DATACMNS-1292
Comment 1 Laura Pardo 2018-05-16 16:24:31 UTC 
Created springframework-data-commons tracking bugs for this issue:

Affects: fedora-all [bug 1578939]
Comment 3 Jason Shepherd 2018-05-21 07:17:22 UTC 
Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.
Comment 4 claprun@redhat.com 2018-06-01 08:44:44 UTC 
Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
Comment 5 errata-xmlrpc 2018-06-07 08:26:06 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809
Comment 6 errata-xmlrpc 2018-12-04 16:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768