Bug 1148260 – CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1148260 - (CVE-2014-3682) CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Summary:	CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Status:	CLOSED ERRATA

Aliases:	CVE-2014-3682

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20150217,repor...
Keywords:	Security

Depends On:	1150629 1150630 1150631 1150632 1150633 1150634 1152742 1152743 1152744 1152745 1152746 1152747 1152748 1152749 1152750 1152751 1152820
Blocks:	1148261 1181883
	Show dependency tree / graph

Reported:	2014-10-01 01:42 EDT by David Jorm
Modified:	2015-02-17 18:33 EST (History)
CC List:	28 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An XML External Entity (XXE) flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-02-17 18:33:31 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0234	normal	SHIPPED_LIVE	Important: Red Hat JBoss BPM Suite 6.0.3 security update	2015-02-17 22:27:47 EST
Red Hat Product Errata	RHSA-2015:0235	normal	SHIPPED_LIVE	Important: Red Hat JBoss BRMS 6.0.3 security update	2015-02-17 22:27:36 EST

Groups: None (edit)

Description David Jorm 2014-10-01 01:42:48 EDT

An XXE flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 David Jorm 2014-10-01 01:45:47 EDT

Acknowledgements:

This issue was discovered by David Jorm of Red Hat Product Security.

Comment 8 Pavel Polischouk 2015-01-30 11:30:35 EST

Upstream fixes:

master: https://github.com/droolsjbpm/jbpm-designer/commit/382e43a6a203c547b91eca41dc213da98fdbf3a6
6.2.x: https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088

master: https://github.com/droolsjbpm/droolsjbpm-integration/commit/c04255ecbfcc2a50b3ed9407f4fd4570309ac214
6.2.X: https://github.com/droolsjbpm/droolsjbpm-integration/commit/ef500fd8b6d6b84313daa37276dc403f359c2fff

6.0.x
https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84
https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c

https://github.com/droolsjbpm/droolsjbpm-integration/commit/2d2074a00d16ad0bb177dbd473c423898b83eb7b
https://github.com/droolsjbpm/droolsjbpm-integration/commit/8a3862ba41d730dcc8a76ae0d86d63c75fd30295

Comment 9 errata-xmlrpc 2015-02-17 17:30:35 EST

This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 10 errata-xmlrpc 2015-02-17 17:35:09 EST

This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Note You need to log in before you can comment on or make changes to this bug.

alazarot
bleanhar
ccoleman
dmcphers
etirelli
grocha
jcoleman
jdetiber
jialiu
jkeck
jokerman
kconner
kseifried
kverlaen
lmeyer
lpetrovi
mbaluch
mjc
mmccomas
mwinkler
nwallace
pavelp
pzapataf
rrajasek
rzhang
security-response-team
tkirby
weli