Bug 1664729 (CVE-2018-20433)

Summary: CVE-2018-20433 c3p0: XML external entity processing in extractXmlConfigFromInputStream
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abergmann, akoufoud, alazarot, almorale, anstephe, bbuckingham, bcourt, bkearney, btotty, cbillett, etirelli, hhudgeon, ibek, jjoyce, jschluet, jstastny, krathod, kverlaen, lhh, lpeer, lzap, mburns, meissner, mhulan, mkolesni, mmccune, mnovotny, ohadlevy, pjindal, rchan, rjerrido, rrajasek, rsynek, sclewis, sdaley, sisharma, skitt, slinaber, tlestach, tomckay
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: c3p0 0.9.5.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-25 09:51:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1664730, 1664731, 1665375, 1669383, 1669384    
Bug Blocks: 1664733    

Description Andrej Nemec 2019-01-09 14:09:20 UTC 
An XML external entity processing vulnerability was found in extractXmlConfigFromInputStream function in c3p0.

Upstream patch:

https://github.com/zhutougg/c3p0/commit/2eb0ea97f745740b18dd45e4a909112d4685f87b
Comment 1 Andrej Nemec 2019-01-09 14:09:56 UTC 
Created c3p0 tracking bugs for this issue:

Affects: epel-7 [bug 1664731]
Affects: fedora-all [bug 1664730]
Comment 10 Richard Maciel Costa 2019-03-13 23:00:34 UTC 
Statement:

Red Hat Satellite 6 is not vulnerable to this issue, because the candlepin component who uses the c3p0 jar never passes a XML configuration file to c3p0, even though it includes a vulnerable version of the latter. Since this issue requires a XML files to be loaded by c3p0, an exploitation path doesn't exist.
Comment 11 Joshua Padman 2019-05-15 22:50:01 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss BPM Suite 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss SOA Platform 5
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Web Server 3 

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 12 Jason Shepherd 2019-08-08 05:48:38 UTC 
This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
Comment 13 Joshua Padman 2019-08-12 02:16:35 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Enterprise Web Server 2

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 18 Paramvir jindal 2019-12-16 12:11:59 UTC 
RHDM and RHPAM both include c3p0 jar inside kie-server war which seems to be affected :

jboss-eap7.2/standalone/deployments/kie-server.war/WEB-INF/lib/c3p0-0.9.1.1.jar