c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration. References: https://hackerone.com/reports/509315 http://www.cvedetails.com/cve/CVE-2019-5427/ Upstream commit: https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b
Created c3p0 tracking bugs for this issue: Affects: epel-7 [bug 1709862] Affects: fedora-all [bug 1709861]
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss SOA Platform 5 * Red Hat JBoss BPM Suite 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
In Satellite 5 context : setting severity to Low, because the attack requires c3p0 to be provided with a specially crafted XML configuration file. This should not happen unless the Satellite is already severely compromised.
Statement: Red Hat Satellite 6 is not vulnerable to this issue, because the candlepin component who uses the c3p0 jar never passes a XML configuration file to c3p0, even though it includes a vulnerable version of the latter. Since this issue requires a XML files to be loaded by c3p0, an exploitation path doesn't exist.
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat Fuse 7.6.0 Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5427