1053290 – (CVE-2013-6429) CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw

Bug 1053290 (CVE-2013-6429) - CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw

Summary: CVE-2013-6429 Spring Framework: XML External Entity (XXE) injection flaw

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2013-6429
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1054605 1054606
Blocks:	1026176 1053291
TreeView+	depends on / blocked

Reported:	2014-01-14 22:48 UTC by David Jorm
Modified:	2021-02-17 06:59 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-02-11 17:49:47 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:0400	0	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Fuse 6.1.0 update	2014-04-14 18:27:37 UTC
Red Hat Product Errata	RHSA-2014:0401	0	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss A-MQ 6.1.0 update	2014-04-14 18:07:26 UTC

Description David Jorm 2014-01-14 22:48:04 UTC

It was found that the Spring MVC SourceHttpMessageConverter processed user-provided XML, and did not expose any property for disabling entity resolution in the XML. A remote attacker could use this flaw to conduct XML External Entity (XXE) attacks on web sites, and read files in the context of the user running the application server. The patch for this flaw disables external entity processing by default, and provides a configuration directive to re-enable it. This flaw is considered to be the result of an incomplete fix for CVE-2013-4152.

Comment 1 Vincent Danen 2014-01-14 23:25:43 UTC

The upstream git commit to correct this issue is here:

https://github.com/spring-projects/spring-framework/commit/2ae6a6a3415eebc57babcb9d3e5505887eda6d8a


External References:

http://www.gopivotal.com/security/cve-2013-6429

Comment 4 Chess Hazlett 2014-04-15 02:36:31 UTC

This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html

Comment 5 Chess Hazlett 2014-04-15 02:39:19 UTC

This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html

Note You need to log in before you can comment on or make changes to this bug.