Bug 1112987 (CVE-2014-3530) - CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage
Summary: CVE-2014-3530 PicketLink: XXE via insecure DocumentBuilderFactory usage
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3530
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20140715,repo...
Depends On: 1114503 1114504 1114505 1114506 1114507 1114508 1114509 1114510 1114511 1114512 1114513 1114514 1114515 1114516 1114517 1114523 1114524 1114525 1114532 1114533 1114534 1114536 1114537 1160694
Blocks: 1082938 1093885 1113216 1116052 1116289 1119792 1127901 1181883 1182400 1182419 1200191 1244362 1244363 1551389
TreeView+ depends on / blocked
 
Reported: 2014-06-25 08:26 UTC by Arun Babu Neelicattu
Modified: 2019-06-08 20:05 UTC (History)
34 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed: 2016-03-10 22:00:45 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0883 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-15 21:13:33 UTC
Red Hat Product Errata RHSA-2014:0884 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.2.4 security update 2014-07-16 04:07:05 UTC
Red Hat Product Errata RHSA-2014:0885 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-07-15 21:24:10 UTC
Red Hat Product Errata RHSA-2014:0886 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-07-16 04:17:14 UTC
Red Hat Product Errata RHSA-2014:0897 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-07-16 22:12:52 UTC
Red Hat Product Errata RHSA-2014:0898 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-07-16 22:12:42 UTC
Red Hat Product Errata RHSA-2014:0910 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.2.2 update 2014-07-21 22:35:10 UTC
Red Hat Product Errata RHSA-2015:0091 normal SHIPPED_LIVE Important: Red Hat JBoss Data Grid 6.4.0 update 2015-01-27 21:22:37 UTC
Red Hat Product Errata RHSA-2015:0234 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC
Red Hat Product Errata RHSA-2015:1888 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 security update 2015-10-12 19:27:33 UTC

Description Arun Babu Neelicattu 2014-06-25 08:26:50 UTC
It was found that the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method implementation provided a DocumentBuilderFactory that will expand entity references. This could be used by a remote, unauthenticated attacker to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 Arun Babu Neelicattu 2014-06-25 08:29:32 UTC
Upstream Bug: [jira PLINK-509]

Comment 5 Arun Babu Neelicattu 2014-06-30 09:57:50 UTC
Statement:

This flaw could allow remote, unauthenticated attackers to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks. All systems hosting PicketLink applications using SAML Identity Providers and Service Providers may be affected. It is strongly advised that anyone running an affected system applies patches to address this flaw.

Comment 6 Martin Prpič 2014-07-08 08:53:06 UTC
Acknowledgments:

Red Hat would like to thank Alexander Papadakis for reporting this issue.

Comment 7 Martin Prpič 2014-07-09 09:51:01 UTC
IssueDescription:

It was found that the implementation of the org.picketlink.common.util.DocumentUtil.getDocumentBuilderFactory() method provided a DocumentBuilderFactory that would expand entity references. A remote, unauthenticated attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 8 errata-xmlrpc 2014-07-15 17:13:48 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 6
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0883 https://rhn.redhat.com/errata/RHSA-2014-0883.html

Comment 9 errata-xmlrpc 2014-07-15 17:24:32 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2014:0885 https://rhn.redhat.com/errata/RHSA-2014-0885.html

Comment 10 errata-xmlrpc 2014-07-16 00:07:11 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.4

Via RHSA-2014:0884 https://rhn.redhat.com/errata/RHSA-2014-0884.html

Comment 11 errata-xmlrpc 2014-07-16 00:17:21 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:0886 https://rhn.redhat.com/errata/RHSA-2014-0886.html

Comment 12 errata-xmlrpc 2014-07-16 18:13:04 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2014:0898 https://rhn.redhat.com/errata/RHSA-2014-0898.html

Comment 13 errata-xmlrpc 2014-07-16 18:13:38 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:0897 https://rhn.redhat.com/errata/RHSA-2014-0897.html

Comment 14 Arun Babu Neelicattu 2014-07-20 22:49:01 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3530.yaml

Comment 15 errata-xmlrpc 2014-07-21 18:35:45 UTC
This issue has been addressed in following products:

  JBoss Operations Network 3.2.2

Via RHSA-2014:0910 https://rhn.redhat.com/errata/RHSA-2014-0910.html

Comment 20 errata-xmlrpc 2015-01-27 16:23:07 UTC
This issue has been addressed in the following products:

  JBoss Data Grid 6.4.0

Via RHSA-2015:0091 https://rhn.redhat.com/errata/RHSA-2015-0091.html

Comment 22 errata-xmlrpc 2015-02-17 22:29:21 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 23 errata-xmlrpc 2015-02-17 22:33:45 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 25 errata-xmlrpc 2015-03-11 16:53:50 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 26 errata-xmlrpc 2015-03-24 21:07:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 27 errata-xmlrpc 2015-03-31 17:01:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 28 errata-xmlrpc 2015-05-14 15:21:35 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 29 errata-xmlrpc 2015-10-12 15:28:31 UTC
This issue has been addressed in the following products:



Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html


Note You need to log in before you can comment on or make changes to this bug.