Bug 1439520 (CVE-2017-7464) - CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
Summary: CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1439976
TreeView+ depends on / blocked
 
Reported: 2017-04-06 07:24 UTC by Jason Shepherd
Modified: 2021-02-17 02:22 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the JAXP implementation used in EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-10220 0 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.0.5] 2020-06-19 20:04:57 UTC
Red Hat Issue Tracker JBEAP-10221 0 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.2.0] 2020-06-19 20:04:57 UTC
Red Hat Issue Tracker WFCORE-2805 0 Major Closed Use Xalan from JRE rather than our own fork 2020-06-19 20:04:57 UTC

Description Jason Shepherd 2017-04-06 07:24:47 UTC 
When parsing XML which does entity expansion the SAXParserFactory used in EAP 7.0.5 expands external entities, even when XMLConstants.FEATURE_SECURE_PROCESSING is set to true.

SAXParserFactory parserFactory = SAXParserFactory.newInstance();
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Comment 9 Jason Shepherd 2017-04-20 00:48:10 UTC 
Acknowledgments:

Name: Jason Shepherd (Red Hat)
Comment 11 Jason Shepherd 2017-05-11 06:36:10 UTC 
Mitigation:

Enable the security features of the DocumentBuilderFactory or SaxParserFactory as described by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
Comment 12 Jason Shepherd 2017-05-11 06:55:56 UTC 
I found a workaround for this issue, which was to set:
parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
I think we should close this one as WONTFIX. But perhaps we can raise a new issues to get the secure options set by default from EAP 7.1?
Comment 15 Product Security DevOps Team 2019-07-12 13:04:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-7464
Note You need to log in before you can comment on or make changes to this bug.