Bug 1239002 (CVE-2015-3192) - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
Summary: CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3192
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1323347 1239005 1323348 1323349 1323350 1323351 1323352 1323353
Blocks: 1239004 1343801 1379523 1381801 1385169
TreeView+ depends on / blocked
 
Reported: 2015-07-03 08:48 UTC by Martin Prpič
Modified: 2021-02-17 05:09 UTC (History)
39 users (show)

See Also:
Fixed In Version: Spring Framework 3.2.14, Spring Framework 4.1.7
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:42:07 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1218 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security and bug fix update 2016-06-09 17:49:45 UTC
Red Hat Product Errata RHSA-2016:1219 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS security and bug fix update 2016-06-09 17:49:39 UTC
Red Hat Product Errata RHSA-2016:1592 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 6.3.2 security and bug fix update 2016-08-10 22:52:12 UTC
Red Hat Product Errata RHSA-2016:1593 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite 6.3.2 security and bug fix update 2016-08-10 22:52:07 UTC
Red Hat Product Errata RHSA-2016:2035 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC
Red Hat Product Errata RHSA-2016:2036 0 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.3 security update 2016-10-06 20:18:02 UTC

Description Martin Prpič 2015-07-03 08:48:38 UTC 
The following flaw was found in all versions of Spring Framework:

If DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

Upstream bug:

https://jira.spring.io/browse/SPR-13136

External References:

http://pivotal.io/security/cve-2015-3192
Comment 1 Martin Prpič 2015-07-03 08:52:41 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1239005]
Comment 2 Fedora Update System 2015-07-16 02:35:10 UTC 
springframework-3.2.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 3 Fedora Update System 2015-07-16 02:35:35 UTC 
springframework-3.2.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 4 Pavel Polischouk 2015-09-21 17:30:33 UTC 
This bug is part of Product Security work flow and should only be closed by Product Security engineers.
Comment 7 errata-xmlrpc 2016-06-09 13:49:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.2

Via RHSA-2016:1219 https://access.redhat.com/errata/RHSA-2016:1219
Comment 8 errata-xmlrpc 2016-06-09 13:50:29 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.2

Via RHSA-2016:1218 https://access.redhat.com/errata/RHSA-2016:1218
Comment 9 errata-xmlrpc 2016-08-10 18:52:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3.2

Via RHSA-2016:1593 https://rhn.redhat.com/errata/RHSA-2016-1593.html
Comment 10 errata-xmlrpc 2016-08-10 18:53:32 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3.2

Via RHSA-2016:1592 https://rhn.redhat.com/errata/RHSA-2016-1592.html
Comment 11 errata-xmlrpc 2016-10-06 16:18:22 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.3

Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html
Comment 12 errata-xmlrpc 2016-10-06 16:19:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html
Note You need to log in before you can comment on or make changes to this bug.