Bug 705869 (CVE-2011-3600) - CVE-2011-3600 XML-RPC SAX parser information exposure
Summary: CVE-2011-3600 XML-RPC SAX parser information exposure
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2011-3600
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 744364
Blocks: 734549
TreeView+ depends on / blocked
 
Reported: 2011-05-18 18:17 UTC by Vincent Danen
Modified: 2019-09-29 12:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-22 06:03:01 UTC


Attachments (Terms of Use)

Description Vincent Danen 2011-05-18 18:17:04 UTC
The changelog for XML-RPC 3.1.3 [1] indicates:

Fixed a potential security hole: The client has been able to include server side resources into the request by using external entities. Thanks to Johan Hôgre.

I have been unable to find where the fix is (no JIRA noted so cannot find a commit), so it is unclear whether this affects 3.0 or if this was introduced in 3.1.x at some point.

[1] http://ws.apache.org/xmlrpc/changes-report.html#a3.1.3

Comment 1 Andrew Overholt 2011-05-19 13:30:31 UTC
Do you know if there's a test or a way for us to determine if this is present in 3.0, Vincent?  Thanks.

Comment 2 Vincent Danen 2011-05-20 16:08:44 UTC
Andrew, I don't.  I've been unable to find any information on this issue beyond the above (was notified of its existence by a Gentoo bug).  I wish I could find the JIRA and a patch, but I've been unable to find that yet.

Comment 3 Ramon de C Valle 2011-10-05 17:29:10 UTC
[rcvalle@localhost xmlrpc]$ svn diff -r r906431:r906432
Index: src/changes/changes.xml
===================================================================
--- src/changes/changes.xml	(revision 906431)
+++ src/changes/changes.xml	(revision 906432)
@@ -37,6 +37,10 @@
       <action dev="jochen" type="add" due-to="Gam" due-to-email="gamaliel@fastmail.fm">
         Added support for configured timeouts to the XmlRpcSun15HttpTransport class.
       </action>
+      <action dev="jochen" type="fix" due-to="Johan H&#244;gre" due-to-email="johan.hagre@home.se">
+        Fixed a potential security hole: The client has been able to include server side resources
+        into the request by using external entities.
+      </action>
     </release>
 
     <release version="3.1.2" date="2009-Apr-19">
Index: common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java
===================================================================
--- common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906431)
+++ common/src/main/java/org/apache/xmlrpc/util/SAXParsers.java	(revision 906432)
@@ -34,6 +34,20 @@
 		spf = SAXParserFactory.newInstance();
 		spf.setNamespaceAware(true);
 		spf.setValidating(false);
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-general-entities", false);
+		} catch (javax.xml.parsers.ParserConfigurationException e) {
+		    // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
+		try {
+		    spf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
+        } catch (javax.xml.parsers.ParserConfigurationException e) {
+            // Ignore it
+        } catch (org.xml.sax.SAXException e) {
+            // Ignore it
+		}
 	}
 
 	/** Creates a new instance of {@link XMLReader}.
Index: pom.xml
===================================================================
--- pom.xml	(revision 906431)
+++ pom.xml	(revision 906432)
@@ -187,6 +187,10 @@
       <email>markg@nortel.com</email>
     </contributor>
     <contributor>
+      <name>Johan H&#244;gre</name>
+      <email>johan.hagre@home.se</email>
+    </contributor>
+    <contributor>
       <name>Catalin Hritcu</name>
       <email>Catalin.Hritcu@gmail.com</email>
     </contributor>
[rcvalle@localhost xmlrpc]$

Comment 6 Ramon de C Valle 2011-10-05 18:08:02 UTC
According to the reporter, for the information exposure happen, the error message generated should be included in the response by the application. Thus, decreasing the security impact of this issue.

Comment 9 Tomas Hoger 2011-10-06 07:23:34 UTC
(In reply to comment #7)
> This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> 14, and 15.

I thinks is supposed to say current Fedora is not affected because it's already upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14 still have 3.0, see:

http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14

Comment 11 Ramon de C Valle 2011-10-06 18:51:05 UTC
(In reply to comment #9)
> (In reply to comment #7)
> > This issue did not affect the versions of xmlrpc3 as shipped with Fedora 13,
> > 14, and 15.
> 
> I thinks is supposed to say current Fedora is not affected because it's already
> upgraded to fixed 3.1.3 version.  That's not the case, F13 (EOL now) and F14
> still have 3.0, see:
> 
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f13
> http://pkgs.fedoraproject.org/gitweb/?p=xmlrpc3.git;a=blob;f=sources;hb=f14

Thanks for the correction Tomas.

Comment 15 Vincent Danen 2011-10-08 04:08:33 UTC
Created xmlrpc3 tracking bugs for this issue

Affects: fedora-14 [bug 744364]

Comment 17 Vincent Danen 2015-08-22 06:02:49 UTC
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.