Bug 1239002 (CVE-2015-3192) - CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
Summary: CVE-2015-3192 Spring Framework: denial-of-service attack with XML input
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3192
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1323347 1239005 1323348 1323349 1323350 1323351 1323352 1323353
Blocks: 1239004 1343801 1379523 1381801 1385169
TreeView+ depends on / blocked
 
Reported: 2015-07-03 08:48 UTC by Martin Prpič
Modified: 2019-09-29 13:34 UTC (History)
39 users (show)

Fixed In Version: Spring Framework 3.2.14, Spring Framework 4.1.7
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Spring processes inline DTD declarations. A remote attacker could submit a specially crafted XML file that would cause out-of-memory errors when parsed.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:42:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1218 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite security and bug fix update 2016-06-09 17:49:45 UTC
Red Hat Product Errata RHSA-2016:1219 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS security and bug fix update 2016-06-09 17:49:39 UTC
Red Hat Product Errata RHSA-2016:1592 normal SHIPPED_LIVE Moderate: Red Hat JBoss BRMS 6.3.2 security and bug fix update 2016-08-10 22:52:12 UTC
Red Hat Product Errata RHSA-2016:1593 normal SHIPPED_LIVE Moderate: Red Hat JBoss BPM Suite 6.3.2 security and bug fix update 2016-08-10 22:52:07 UTC
Red Hat Product Errata RHSA-2016:2035 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC
Red Hat Product Errata RHSA-2016:2036 normal SHIPPED_LIVE Important: Red Hat JBoss A-MQ 6.3 security update 2016-10-06 20:18:02 UTC

Description Martin Prpič 2015-07-03 08:48:38 UTC
The following flaw was found in all versions of Spring Framework:

If DTD is not entirely disabled, inline DTD declarations can be used to perform denial of service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

Upstream bug:

https://jira.spring.io/browse/SPR-13136

External References:

http://pivotal.io/security/cve-2015-3192

Comment 1 Martin Prpič 2015-07-03 08:52:41 UTC
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1239005]

Comment 2 Fedora Update System 2015-07-16 02:35:10 UTC
springframework-3.2.14-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-07-16 02:35:35 UTC
springframework-3.2.14-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 4 Pavel Polischouk 2015-09-21 17:30:33 UTC
This bug is part of Product Security work flow and should only be closed by Product Security engineers.

Comment 7 errata-xmlrpc 2016-06-09 13:49:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.2

Via RHSA-2016:1219 https://access.redhat.com/errata/RHSA-2016:1219

Comment 8 errata-xmlrpc 2016-06-09 13:50:29 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.2

Via RHSA-2016:1218 https://access.redhat.com/errata/RHSA-2016:1218

Comment 9 errata-xmlrpc 2016-08-10 18:52:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3.2

Via RHSA-2016:1593 https://rhn.redhat.com/errata/RHSA-2016-1593.html

Comment 10 errata-xmlrpc 2016-08-10 18:53:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3.2

Via RHSA-2016:1592 https://rhn.redhat.com/errata/RHSA-2016-1592.html

Comment 11 errata-xmlrpc 2016-10-06 16:18:22 UTC
This issue has been addressed in the following products:

  Red Hat JBoss A-MQ 6.3

Via RHSA-2016:2036 https://rhn.redhat.com/errata/RHSA-2016-2036.html

Comment 12 errata-xmlrpc 2016-10-06 16:19:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html


Note You need to log in before you can comment on or make changes to this bug.