Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1439520 - (CVE-2017-7464) CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170511,repor...
: Security
Depends On:
Blocks: 1439976
  Show dependency treegraph
 
Reported: 2017-04-06 03:24 EDT by Jason Shepherd
Modified: 2018-10-19 17:40 EDT (History)
37 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the JAXP implementation used in EAP 7.0 for SAX and DOM parsing is vulnerable to certain XXE flaws. An attacker could use this flaw to cause DoS, SSRF, or information disclosure if they are able to provide XML content for parsing.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-10220 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.0.5] 2018-10-16 00:05 EDT
JBoss Issue Tracker JBEAP-10221 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.2.0] 2018-10-16 00:05 EDT
JBoss Issue Tracker WFCORE-2805 Major Closed Use Xalan from JRE rather than our own fork 2018-10-16 00:05 EDT

  None (edit)
Description Jason Shepherd 2017-04-06 03:24:47 EDT 
When parsing XML which does entity expansion the SAXParserFactory used in EAP 7.0.5 expands external entities, even when XMLConstants.FEATURE_SECURE_PROCESSING is set to true.

SAXParserFactory parserFactory = SAXParserFactory.newInstance();
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Comment 9 Jason Shepherd 2017-04-19 20:48:10 EDT 
Acknowledgments:

Name: Jason Shepherd (Red Hat)
Comment 11 Jason Shepherd 2017-05-11 02:36:10 EDT 
Mitigation:

Enable the security features of the DocumentBuilderFactory or SaxParserFactory as described by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
Comment 12 Jason Shepherd 2017-05-11 02:55:56 EDT 
I found a workaround for this issue, which was to set:
parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
I think we should close this one as WONTFIX. But perhaps we can raise a new issues to get the secure options set by default from EAP 7.1?
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.