Bug 705869 (CVE-2011-3600)

Summary: CVE-2011-3600 XML-RPC SAX parser information exposure
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: akurtako, bressers, jjohnstn, patrickm, swagiaal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20100206,reported=20110512,source=gentoo,cvss2=2.6/AV:N/AC:H/Au:N/C:P/I:N/A:N,rhel-6/xmlrpc3=wontfix,fedora-14/xmlrpc3=affected,fedora-15/xmlrpc3=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 02:03:01 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 744364    
Bug Blocks: 734549    

Description Vincent Danen 2011-05-18 14:17:04 EDT
The changelog for XML-RPC 3.1.3 [1] indicates:

Fixed a potential security hole: The client has been able to include server side resources into the request by using external entities. Thanks to Johan Hôgre.

I have been unable to find where the fix is (no JIRA noted so cannot find a commit), so it is unclear whether this affects 3.0 or if this was introduced in 3.1.x at some point.

[1] http://ws.apache.org/xmlrpc/changes-report.html#a3.1.3
Comment 1 Andrew Overholt 2011-05-19 09:30:31 EDT
Do you know if there's a test or a way for us to determine if this is present in 3.0, Vincent?  Thanks.
Comment 2 Vincent Danen 2011-05-20 12:08:44 EDT
Andrew, I don't.  I've been unable to find any information on this issue beyond the above (was notified of its existence by a Gentoo bug).  I wish I could find the JIRA and a patch, but I've been unable to find that yet.
Comment 3 Ramon de C Valle 2011-10-05 13:29:10 EDT
[rcvalle@localhost xmlrpc]$ svn diff -r r906431:r906432
Index: src/changes/changes.xml
===================================================================
--- src/changes/changes.xml	(revision 906431)
+++ src/changes/changes.xml	(revision 906432)
@@ -37,6 +37,10 @@
       <action dev="jochen" type="add" due-to="Gam" due-to-email="gamaliel@fastmail.fm">
         Added support for configured timeouts to the XmlRpcSun15HttpTransport class.
       </action>
+      <action dev="jochen" type="fix" due-to="Johan H&#244;gre" due-to-email="johan.hagre@home.se">
+        Fixed a potential security hole: The client has been able to include server side resources
+        into the request by using external entities.
+      </action>
     </release>
 
     <release version="3.1.2" date="2009-Apr-19">
Index: common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
===================================================================
--- common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906431)
+++ common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906432)
@@ -34,6 +34,20 @@
 		spf = SAXParserFactory.newInstance();
 		spf.setNamespaceAware(true);
 		spf.setValidating(false);
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		} catch (javax.xml.parsers.ParserConfigurationException e) {
+		    // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (javax.xml.parsers.ParserConfigurationException e) {
+            // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
 	}
 
 	/** Creates a new instance of {@link XMLReader}.
Index: pom.xml
===================================================================
--- pom.xml	(revision 906431)
+++ pom.xml	(revision 906432)
@@ -187,6 +187,10 @@
       <email>markg@nortel.com</email>
     </contributor>
     <contributor>
+      <name>Johan H&#244;gre</name>
+      <email>johan.hagre@home.se</email>
+    </contributor>
+    <contributor>
       <name>Catalin Hritcu</name>
       <email>Catalin.Hritcu@gmail.com</email>
     </contributor>
[rcvalle@localhost xmlrpc]$
Comment 6 Ramon de C Valle 2011-10-05 14:08:02 EDT
According to the reporter, for the information exposure happen, the error message generated should be included in the response by the application. Thus, decreasing the security impact of this issue.
Comment 9 Tomas Hoger 2011-10-06 03:23:34 EDT
(In reply to comment #7)
> This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> 14, and 15.

I thinks is supposed to say current Fedora is not affected because it's already upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14 still have 3.0, see:

http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14
Comment 11 Ramon de C Valle 2011-10-06 14:51:05 EDT
(In reply to comment #9)
> (In reply to comment #7)
> > This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> > 14, and 15.
> 
> I thinks is supposed to say current Fedora is not affected because it's already
> upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14
> still have 3.0, see:
> 
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14

Thanks for the correction Tomas.
Comment 15 Vincent Danen 2011-10-08 00:08:33 EDT
Created xmlrpc3 tracking bugs for this issue

Affects: fedora-14 [bug 744364]
Comment 17 Vincent Danen 2015-08-22 02:02:49 EDT
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.