Bug 2011190 (CVE-2021-40690)
Summary: | CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aboyko, agrimm, aileenc, antti.andreimann, aos-bugs, asoldano, atangrin, bbaranow, bcoca, bibryam, bmaxwell, bmontgom, brian.stansberry, caswilli, cdewolf, chazlett, chousekn, darran.lofthouse, davidn, dkreling, dosoudil, drieden, eleandro, eparis, eric.wittmann, ewolinet, extras-orphan, fjuma, gblomqui, ggaughan, gmalinko, gvarsami, hbraun, iweiss, janstey, java-sig-commits, jburrell, jcammara, jcantril, jcoleman, jhardy, jnethert, jobarker, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jstastny, jwon, kaycoth, kloczko.tomasz, krathod, kwills, ldimaggi, lef, lgao, loleary, mabashia, mihkel.vain, msochure, msvehla, nstielau, nwallace, osapryki, pantinor, pdelbell, pdrozd, pjindal, pmackay, puntogil, relrod, rguimara, rpetrell, rstancel, rsvoboda, rwagner, sdoran, smaestri, smcdonal, spinder, sponnaga, sthorger, tcunning, theute, tkirby, tkuratom, tom.jenkinson, vkumar, yborgess |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | xmlsec-2.1.7 xmlsec-2.2.3 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-12-15 15:58:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2011191, 2011192 | ||
Bug Blocks: | 2011193 |
Description
Marian Rehak
2021-10-06 08:52:00 UTC
Created xml-security tracking bugs for this issue: Affects: epel-7 [bug 2011192] Created xml-security-c tracking bugs for this issue: Affects: fedora-all [bug 2011191] Marking this flaw as having a Moderate impact (was Important) as per Red Hat security ratings - "This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations." This is based on the flaw requiring some prerequisites which we think are unlikely to occur in applications using Santuario, namely that unprivileged users would be able to manipulate XML to inject the retrievalMethod element and that XPath transformations also be under the attackers control. Is it any patch for that issue? If not I don;t see what more ATM I can do .. @Tomasz thanks for your enquiry, the likely fixing commit (https://github.com/apache/santuario-xml-security-java/pull/51/commits/5bcbf7d4c5ef36f09543b05294e9497bae0f95f6) is specific to the java implementation so i do not believe this affects xml-security-c This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Fuse Service Works 6 * Red Hat JBoss Data Virtualization 6 * Red Hat JBoss Operations Network 3 * Red Hat JBoss SOA Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7 Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8 Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151 This issue has been addressed in the following products: EAP 7.3.10 GA Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6 Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-40690 This issue has been addressed in the following products: Red Hat Single Sign-On 7.4.10 Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170 This issue has been addressed in the following products: Red Hat EAP-XP 2 via EAP 7.3.x base Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152 This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151 This issue has been addressed in the following products: RHSSO 7.5.1 Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164 This issue has been addressed in the following products: RHINT Service Registry 2.0.3 GA Via RHSA-2022:0501 https://access.redhat.com/errata/RHSA-2022:0501 This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407 |