Bug 1694235 (CVE-2020-10683)
Summary: | CVE-2020-10683 dom4j: XML External Entity vulnerability in default SAX parser | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abenaiss, aboyko, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bkearney, bmaxwell, bmcclain, bmontgom, brian.stansberry, btotty, cbyrne, cdewolf, chazlett, cmacedo, cmoulliard, csutherl, darran.lofthouse, dbhole, dffrench, dimitris, dkreling, dmoppert, dosoudil, drieden, drusso, eparis, etirelli, fgavrilo, ggaughan, gmalinko, gvarsami, gzaronik, hdegoede, hhorak, hhudgeon, ibek, ikanello, iweiss, janstey, java-maint, jawilson, jbalunas, jburrell, jclere, jcoleman, jmadigan, jochrist, jokerman, jolee, jondruse, jorton, jpallich, jperkins, jschatte, jshepherd, jstastny, jwon, kconner, krathod, kverlaen, kwills, ldimaggi, lgao, loleary, lpetrovi, lthon, lzap, mbabacek, mhulan, mizdebsk, mmccune, mnovotny, msochure, msvehla, mszynkie, myarboro, ngough, nmoumoul, nsantos, nstielau, nwallace, paradhya, pbhattac, pdrozd, pgallagh, pgier, pjindal, pmackay, ppalaga, pslavice, psotirop, pwright, rchan, rguimara, rjerrido, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, security-response-team, smaestri, sokeeffe, spinder, sponnaga, sthorger, stuart, tcunning, theute, tkirby, tlestach, tom.jenkinson, trepel, twalsh, vbobade, vhalbert, vtunka, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dom4j 2.0.3, dom4j 2.1.3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-17 15:15:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1824291, 1824292, 1824293, 1824294, 1825098, 1940260, 1940264 | ||
Bug Blocks: | 1694237 |
Description
Pedro Sampaio
2019-03-29 20:39:32 UTC
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Fuse 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss BRMS 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss BPM Suite 6 * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Created dom4j tracking bugs for this issue: Affects: fedora-all [bug 1824294] Acknowledgments: Name: Adith Sudhakar This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3464 https://access.redhat.com/errata/RHSA-2020:3464 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2020:3461 https://access.redhat.com/errata/RHSA-2020:3461 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2020:3462 https://access.redhat.com/errata/RHSA-2020:3462 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2020:3463 https://access.redhat.com/errata/RHSA-2020:3463 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10683 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.2 Via RHSA-2020:3501 https://access.redhat.com/errata/RHSA-2020:3501 This issue has been addressed in the following products: EAP-CD 20 Tech Preview Via RHSA-2020:3585 https://access.redhat.com/errata/RHSA-2020:3585 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6 Via RHSA-2020:3637 https://access.redhat.com/errata/RHSA-2020:3637 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8 Via RHSA-2020:3639 https://access.redhat.com/errata/RHSA-2020:3639 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7 Via RHSA-2020:3638 https://access.redhat.com/errata/RHSA-2020:3638 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2020:3642 https://access.redhat.com/errata/RHSA-2020:3642 This issue has been addressed in the following products: RHDM 7.9.0 Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960 This issue has been addressed in the following products: RHPAM 7.9.0 Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961 This issue has been addressed in the following products: Red Hat Fuse 7.8.0 Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568 Statement: OpenShift Container Platform ships a vulnerable version of dom4j library. However it's used to parse configuration files, which are local disk resources. We've rated this issue with a moderate impact for OpenShift Container Platform. It turns out that OpenShift Container Platform 3.11, and 4.x already has a fixed version of dom4j in the jenkins rpms. I made a mistake by thinking it had an affected version earlier. |