Bug 1801149 (CVE-2019-13990)

Summary: CVE-2019-13990 libquartz: XXE attacks via job description
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agrimm, aileenc, akoufoud, alazarot, almorale, anstephe, bbuckingham, bcourt, bkearney, btotty, chazlett, dblechte, dfediuck, dmoppert, drieden, eedri, etirelli, extras-orphan, ggaughan, gvarsami, hhudgeon, ibek, janstey, java-sig-commits, jcoleman, jochrist, jstastny, jwon, kconner, krathod, kverlaen, ldimaggi, lef, lsurette, lzap, mgoldboi, michal.skrivanek, mmccune, mnovotny, nwallace, paradhya, pjindal, puntogil, rchan, rjerrido, rrajasek, rsynek, rwagner, sbonazzo, sdaley, security-response-team, sherold, sokeeffe, tcunning, tkirby, tlestach, tmielke, yturgema
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: quartz-2.3.2 Doc Type: If docs needed, set a value
Doc Text:
The Terracotta Quartz Scheduler is susceptible to an XML external entity attack (XXE) through a job description. This issue stems from inadequate handling of XML external entity (XXE) declarations in the initDocumentParser function within xml/XMLSchedulingDataProcessor.java. By enticing a victim to access a maliciously crafted job description (containing XML content), a remote attacker could exploit this vulnerability to execute an XXE attack on the targeted system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-29 07:27:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1807886, 1814510, 1814511    
Bug Blocks: 1801151    

Comment 6 Doran Moppert 2020-03-18 04:45:32 UTC
Created quartz tracking bugs for this issue:

Affects: fedora-all [bug 1814510]

Comment 8 Barnaby Court 2020-03-23 14:37:23 UTC
We quartz as an embedded library and do not use the relevant XML based job creation that is affected by this CVE.

Comment 9 Cedric Buissart 2020-03-23 15:00:44 UTC
Statement:

Red Hat Satellite 6 uses a vulnerable version of libquartz as a dependency for candlepin. However, the <job><descrition> entry is not used, and the vulnerability can not be triggered. An update may fix the code in the future.

Comment 14 errata-xmlrpc 2020-07-29 06:07:57 UTC
This issue has been addressed in the following products:

  Red Hat Decision Manager

Via RHSA-2020:3196 https://access.redhat.com/errata/RHSA-2020:3196

Comment 15 errata-xmlrpc 2020-07-29 06:23:17 UTC
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2020:3197 https://access.redhat.com/errata/RHSA-2020:3197

Comment 16 Product Security DevOps Team 2020-07-29 07:27:42 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-13990

Comment 17 errata-xmlrpc 2020-08-04 13:15:44 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2020:3247 https://access.redhat.com/errata/RHSA-2020:3247

Comment 18 errata-xmlrpc 2020-12-16 12:13:04 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.8.0

Via RHSA-2020:5568 https://access.redhat.com/errata/RHSA-2020:5568