Bug 1663857 (CVE-2018-11788)

Summary: CVE-2018-11788 karaf: XML external entity processing
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chazlett, jjoyce, jschluet, lhh, lpeer, mburns, mkolesni, sclewis, slinaber, tmielke
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: karaf 4.1.7, karaf 4.2.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Apache Karaf XMLInputFactory, where it does not prevent External Entity Processing (XXE). This is a potential security risk as an attacker could inject external XML entities to access sensitive information or conduct further attacks.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:51:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1665863, 1665864, 1665865, 1665866, 1666164    
Bug Blocks: 1663858    

Description Andrej Nemec 2019-01-07 08:41:22 UTC 
It was found that Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities.

Upstream patch:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e

References:

https://issues.apache.org/jira/browse/KARAF-5911
Comment 14 Summer Long 2020-12-22 05:20:28 UTC 
Statement:

Red Hat OpenStack Platform: Karaf is used by RHOSP's OpenDaylight, and this flaw impacts the loading of XML documents within Karaf, allowing arbitrary XML to be injected into parsed documents. The impact of this vulnerability is reduced in OpenDaylight, given karaf is an administrative component and not normally exposed to public networks or non-privileged users, and therefore will not be fixed at this time.

Fuse 7:
The impact of this vulnerability is reduced, as exploiting it would require a authenticated user, and no unsecured endpoints are exposed to the network