Bug 1225252 (CVE-2015-3208) - CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
Summary: CVE-2015-3208 hornetq: XXE/SSRF in XPath selector
Status: CLOSED WONTFIX
Alias: CVE-2015-3208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150723,repor...
Keywords: Security
Depends On: 1478551 1478549 1478550 1545359
Blocks: 1225253
TreeView+ depends on / blocked
 
Reported: 2015-05-27 00:40 UTC by Fabio Olive Leite
Modified: 2018-10-16 15:19 UTC (History)
46 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-06-16 04:50:53 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2927 None None None 2018-10-16 15:19 UTC

Description Fabio Olive Leite 2015-05-27 00:40:56 UTC
An XXE vulnerability was reported in the XPath component of HornetQ,
which is present in various middleware products.

Comment 2 Fabio Olive Leite 2015-05-27 02:58:03 UTC
Acknowledgements:

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.

Comment 5 Kurt Seifried 2015-07-24 04:27:03 UTC
This issue appears to have been fixed in the following commit:

https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d

Comment 6 Clebert Suconic 2017-08-01 20:36:22 UTC
There is no release prior to that commit. Why is this being considered a CVE?

Comment 7 Clebert Suconic 2017-08-01 20:42:20 UTC
There has never been a release of Artemis before that commit. is there any way to challenge the CVE?

Comment 8 Fabio Olive Leite 2017-08-03 20:27:21 UTC
Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.

Comment 9 Clebert Suconic 2017-08-03 20:48:03 UTC
In HornetQ.. maybe.. but never in Artemis.


I'm not sure this was an issue with hornetq.. as maybe it wasn't released.

Comment 10 Jason Shepherd 2017-08-03 23:08:05 UTC
Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?

Comment 11 Kurt Seifried 2017-08-04 18:59:06 UTC
Created hornetq tracking bugs for this issue:

Affects: fedora-all [bug 1478551]

Comment 13 errata-xmlrpc 2018-10-16 15:18:59 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927


Note You need to log in before you can comment on or make changes to this bug.