Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1239002 - (CVE-2015-3192) CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20150630,repor...
: Reopened, Security
Depends On: 1323347 1239005 1323348 1323349 1323350 1323351 1323352 1323353
Blocks: 1239004 1343801 1379523 1381801 1385169
  Show dependency treegraph
 
Reported: 2015-07-03 04:48 EDT by Martin Prpič
Modified: 2018-07-18 10:40 EDT (History)
41 users (show)

See Also:
Fixed In Version: Spring Framework 3.2.14, Spring Framework 4.1.7
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-19 05:37:17 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1218 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security and bug fix update 2016-06-09 13:49:45 EDT
Red Hat Product Errata RHSA-2016:1219 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS security and bug fix update 2016-06-09 13:49:39 EDT
Red Hat Product Errata RHSA-2016:1592 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 6.3.2 security and bug fix update 2016-08-10 18:52:12 EDT
Red Hat Product Errata RHSA-2016:1593 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite 6.3.2 security and bug fix update 2016-08-10 18:52:07 EDT
Red Hat Product Errata RHSA-2016:2035 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 16:18:07 EDT
Red Hat Product Errata RHSA-2016:2036 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.3 security update 2016-10-06 16:18:02 EDT

  None (edit)
Description Martin Prpič 2015-07-03 04:48:38 EDT 
The following flaw was found in all versions of Spring Framework:

If DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

Upstream bug:

https://jira.spring.io/browse/SPR-13136

External References:

http://pivotal.io/security/cve-2015-3192
Comment 1 Martin Prpič 2015-07-03 04:52:41 EDT 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1239005]
Comment 2 Fedora Update System 2015-07-15 22:35:10 EDT 
springframework-3.2.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-07-15 22:35:35 EDT 
springframework-3.2.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Pavel Polischouk 2015-09-21 13:30:33 EDT 
This bug is part of Product Security work flow and should only be closed by Product Security engineers.
Comment 7 errata-xmlrpc 2016-06-09 09:49:52 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.2

Via RHSA-2016:1219 https://access.redhat.com/errata/RHSA-2016:1219
Comment 8 errata-xmlrpc 2016-06-09 09:50:29 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.2

Via RHSA-2016:1218 https://access.redhat.com/errata/RHSA-2016:1218
Comment 9 errata-xmlrpc 2016-08-10 14:52:35 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3.2

Via RHSA-2016:1593 https://rhn.redhat.com/errata/RHSA-2016-1593.html
Comment 10 errata-xmlrpc 2016-08-10 14:53:32 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3.2

Via RHSA-2016:1592 https://rhn.redhat.com/errata/RHSA-2016-1592.html
Comment 11 errata-xmlrpc 2016-10-06 12:18:22 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.3

Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html
Comment 12 errata-xmlrpc 2016-10-06 12:19:08 EDT 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.