Bug 705869 - (CVE-2011-3600) CVE-2011-3600 XML-RPC SAX parser information exposure
CVE-2011-3600 XML-RPC SAX parser information exposure
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20100206,reported=2...
: Security
Depends On: 744364
Blocks: 734549
  Show dependency treegraph
 
Reported: 2011-05-18 14:17 EDT by Vincent Danen
Modified: 2015-08-22 02:03 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-22 02:03:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-05-18 14:17:04 EDT
The changelog for XML-RPC 3.1.3 [1] indicates:

Fixed a potential security hole: The client has been able to include server side resources into the request by using external entities. Thanks to Johan Hôgre.

I have been unable to find where the fix is (no JIRA noted so cannot find a commit), so it is unclear whether this affects 3.0 or if this was introduced in 3.1.x at some point.

[1] http://ws.apache.org/xmlrpc/changes-report.html#a3.1.3
Comment 1 Andrew Overholt 2011-05-19 09:30:31 EDT
Do you know if there's a test or a way for us to determine if this is present in 3.0, Vincent?  Thanks.
Comment 2 Vincent Danen 2011-05-20 12:08:44 EDT
Andrew, I don't.  I've been unable to find any information on this issue beyond the above (was notified of its existence by a Gentoo bug).  I wish I could find the JIRA and a patch, but I've been unable to find that yet.
Comment 3 Ramon de C Valle 2011-10-05 13:29:10 EDT
[rcvalle@localhost xmlrpc]$ svn diff -r r906431:r906432
Index: src/changes/changes.xml
===================================================================
--- src/changes/changes.xml	(revision 906431)
+++ src/changes/changes.xml	(revision 906432)
@@ -37,6 +37,10 @@
       <action dev="jochen" type="add" due-to="Gam" due-to-email="gamaliel@fastmail.fm">
         Added support for configured timeouts to the XmlRpcSun15HttpTransport class.
       </action>
+      <action dev="jochen" type="fix" due-to="Johan H&#244;gre" due-to-email="johan.hagre@home.se">
+        Fixed a potential security hole: The client has been able to include server side resources
+        into the request by using external entities.
+      </action>
     </release>
 
     <release version="3.1.2" date="2009-Apr-19">
Index: common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
===================================================================
--- common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906431)
+++ common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906432)
@@ -34,6 +34,20 @@
 		spf = SAXParserFactory.newInstance();
 		spf.setNamespaceAware(true);
 		spf.setValidating(false);
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		} catch (javax.xml.parsers.ParserConfigurationException e) {
+		    // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (javax.xml.parsers.ParserConfigurationException e) {
+            // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
 	}
 
 	/** Creates a new instance of {@link XMLReader}.
Index: pom.xml
===================================================================
--- pom.xml	(revision 906431)
+++ pom.xml	(revision 906432)
@@ -187,6 +187,10 @@
       <email>markg@nortel.com</email>
     </contributor>
     <contributor>
+      <name>Johan H&#244;gre</name>
+      <email>johan.hagre@home.se</email>
+    </contributor>
+    <contributor>
       <name>Catalin Hritcu</name>
       <email>Catalin.Hritcu@gmail.com</email>
     </contributor>
[rcvalle@localhost xmlrpc]$
Comment 6 Ramon de C Valle 2011-10-05 14:08:02 EDT
According to the reporter, for the information exposure happen, the error message generated should be included in the response by the application. Thus, decreasing the security impact of this issue.
Comment 9 Tomas Hoger 2011-10-06 03:23:34 EDT
(In reply to comment #7)
> This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> 14, and 15.

I thinks is supposed to say current Fedora is not affected because it's already upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14 still have 3.0, see:

http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14
Comment 11 Ramon de C Valle 2011-10-06 14:51:05 EDT
(In reply to comment #9)
> (In reply to comment #7)
> > This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> > 14, and 15.
> 
> I thinks is supposed to say current Fedora is not affected because it's already
> upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14
> still have 3.0, see:
> 
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14

Thanks for the correction Tomas.
Comment 15 Vincent Danen 2011-10-08 00:08:33 EDT
Created xmlrpc3 tracking bugs for this issue

Affects: fedora-14 [bug 744364]
Comment 17 Vincent Danen 2015-08-22 02:02:49 EDT
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Note You need to log in before you can comment on or make changes to this bug.