Bug 1043332 - (CVE-2013-6440) CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in ParserPool and Decrypter
CVE-2013-6440 XMLTooling-J/OpenSAML Java: XML eXternal Entity (XXE) flaw in P...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131211,repor...
: Security
Depends On: 1045295 1045296 1045297 1045298 1051300 1051301 1051302 1075468
Blocks: 1043333 1050810 1055846 1058944 1141957 1145284 1159080
  Show dependency treegraph
 
Reported: 2013-12-15 20:56 EST by David Jorm
Modified: 2016-02-15 08:35 EST (History)
21 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-12-15 16:15:33 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Jorm 2013-12-15 20:56:37 EST
IssueDescription:

It was found that the ParserPool and Decrypter classes in the OpenSAML Java implementation resolved external entities, permitting XML External Entity (XXE) attacks. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Comment 2 Arun Babu Neelicattu 2013-12-15 23:03:02 EST
Acknowledgements:

This issue was discovered by David Illsley, Ron Gutierrez of Gotham Digital Science, and David Jorm of the Red Hat Security Response Team.
Comment 5 Arun Babu Neelicattu 2014-01-09 00:45:40 EST
All versions of XMLTooling-J before 1.4.1 and distributions of OpenSAML Java before 2.6.1 are affected by this flaw.
Comment 9 errata-xmlrpc 2014-02-13 13:38:33 EST
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0172 https://rhn.redhat.com/errata/RHSA-2014-0172.html
Comment 10 errata-xmlrpc 2014-02-13 13:39:45 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0171 https://rhn.redhat.com/errata/RHSA-2014-0171.html
Comment 11 errata-xmlrpc 2014-02-13 13:41:28 EST
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0170 https://rhn.redhat.com/errata/RHSA-2014-0170.html
Comment 12 errata-xmlrpc 2014-02-20 12:23:22 EST
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.1

Via RHSA-2014:0195 https://rhn.redhat.com/errata/RHSA-2014-0195.html
Comment 13 errata-xmlrpc 2014-04-30 14:50:56 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html
Comment 14 errata-xmlrpc 2014-09-23 16:20:06 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2014:1291 https://rhn.redhat.com/errata/RHSA-2014-1291.html
Comment 15 errata-xmlrpc 2014-09-23 16:20:55 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2014:1290 https://rhn.redhat.com/errata/RHSA-2014-1290.html
Comment 18 errata-xmlrpc 2014-12-15 15:35:55 EST
This issue has been addressed in the following products:

  JBoss Fuse Service Works 6.0.0

Via RHSA-2014:1995 https://rhn.redhat.com/errata/RHSA-2014-1995.html

Note You need to log in before you can comment on or make changes to this bug.