Bug 1110110 – CVE-2014-0225 Spring Framework: Information disclosure via SSRF

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1110110 - (CVE-2014-0225) CVE-2014-0225 Spring Framework: Information disclosure via SSRF

Summary:	CVE-2014-0225 Spring Framework: Information disclosure via SSRF

Status:	CLOSED ERRATA

Aliases:	CVE-2014-0225

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20140528,repor...
Keywords:	Reopened, Security

Depends On:	1110112 1110113 1110114 1110115 1110116 1110327 1110328 1110329 1110330 1110331 1110332 1110333 1166968 1166969 1166970
Blocks:	1059445 1110111
	Show dependency tree / graph

Reported:	2014-06-17 01:05 EDT by Arun Babu Neelicattu
Modified:	2016-01-21 15:54 EST (History)
CC List:	65 users (show)

See Also:
Fixed In Version:	spring-webmvc-3.2.9.RELEASE, spring-webmvc-4.0.5.RELEASE, spring-oxm-3.2.9.RELEASE, spring-oxm-4.0.5.RELEASE
Doc Type:	Bug Fix
Doc Text:	It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2016-01-21 15:54:54 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1351	normal	SHIPPED_LIVE	Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update	2014-10-01 18:10:39 EDT

Groups: None (edit)

Description Arun Babu Neelicattu 2014-06-17 01:05:53 EDT

When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. By observing differences in response times, an attacker could then identify valid IP addresses on the internal network with functioning web servers.

Affects:
Spring MVC 3.0.0 to 3.2.8
Spring MVC 4.0.0 to 4.0.4
Spring OXM 3.0.0 to 3.2.8
Spring OXM 4.0.0 to 4.0.4

Upstream notes that earlier unsupported versions may be affected.

Upstream Bug Report:
https://jira.spring.io/browse/SPR-11768

Upstream Fix:
https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb (3.2.9)
https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1 (4.0.5)

References:
http://www.gopivotal.com/security/cve-2014-0225

Comment 3 Arun Babu Neelicattu 2014-06-17 01:19:41 EDT

Added to Victims CVE DB [1].

[1] https://github.com/victims/victims-cve-db/blob/master/database/java/2014/0225.yaml

Comment 5 Arun Babu Neelicattu 2014-06-17 08:57:56 EDT

Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1110333]

Comment 7 Kurt Seifried 2014-06-25 03:23:18 EDT

Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.

Comment 8 Martin Prpič 2014-09-29 08:05:26 EDT

IssueDescription:

It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.

Comment 9 errata-xmlrpc 2014-10-01 14:11:16 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html

Comment 15 Fedora Update System 2015-05-08 03:40:07 EDT

springframework-3.1.4-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Pavel Polischouk 2015-09-21 13:30:43 EDT

This bug is part of Product Security work flow and should only be closed by Product Security engineers.

Note You need to log in before you can comment on or make changes to this bug.

acathrow
agrimm
aileenc
alazarot
bazulay
bdawidow
bleanhar
bmcclain
ccoleman
chazlett
cpelland
dandread
dblechte
dmcphers
ecohen
epp-bugs
etirelli
fnasser
gklein
grocha
gvarsami
hfnukal
huwang
idith
iheim
jbpapp-maint
jcoleman
jdetiber
jialiu
jkeck
joelsmith
jokerman
jpallich
jrusnack
juan.hernandez
kconner
kseifried
ldimaggi
lgao
lmeyer
lpetrovi
lsurette
mbaluch
michal.skrivanek
mmccomas
mmcgrath
msrb
mweiler
mwinkler
myarboro
nobody
nwallace
pavelp
rbalakri
Rhev-m-bugs
rrajasek
rwagner
rzhang
soa-p-jira
tcunning
theute
tkirby
weli
yeylon
ylavi