Bug 1169553 (CVE-2014-8125) - CVE-2014-8125 jBPM: BPMN2 file processing XXE in Process Execution
Summary: CVE-2014-8125 jBPM: BPMN2 file processing XXE in Process Execution
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-8125
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1181371 1169568 1169569 1169570 1169571 1169572 1169573 1181370 1181372 1181373 1181374 1181375
Blocks: 1169514 1196295 1210482 1385169
TreeView+ depends on / blocked
 
Reported: 2014-12-02 01:56 UTC by Pavel Polischouk
Modified: 2023-05-12 13:52 UTC (History)
25 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that the jBPM runtime performed expansion of external parameter entities while executing BPMN2 files. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XML eXternal Entity (XXE) attacks.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:36:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC

Description Pavel Polischouk 2014-12-02 01:56:11 UTC 
An XXE flaw was found in the jBPM runtime while executing BPMN2 files. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Comment 1 Pavel Polischouk 2014-12-02 01:58:14 UTC 
Acknowledgements:

This issue was discovered by Jeremy Lindop of Red Hat.
Comment 5 Maciej Swiderski 2014-12-22 14:02:39 UTC 
fixed in drools and jbpm runtime side:

drools
master:
https://github.com/droolsjbpm/drools/commit/c48464c3b246e6ef0d4cd0dbf67e83ccd532c6d3

6.2.x:
https://github.com/droolsjbpm/drools/commit/5b850e8c121be994dbbc5ecba3de4e7355ac4331


jbpm
master:
https://github.com/droolsjbpm/jbpm/commit/713e8073ecf45623cfc5c918c5cbf700203f46e5

6.2.x:
https://github.com/droolsjbpm/jbpm/commit/4d0dc877bc182cb8cc8b07bc95e9946d9aeb028e
Comment 8 Pavel Polischouk 2015-01-30 15:58:22 UTC 
Statement:

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Comment 10 errata-xmlrpc 2015-04-16 16:08:19 UTC 
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
Comment 11 errata-xmlrpc 2015-04-16 16:11:10 UTC 
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
Note You need to log in before you can comment on or make changes to this bug.