Bug 921334 (CVE-2013-1856) - CVE-2013-1856 rubygem-activesupport: jdom: XML Parsing Vulnerability affecting JRuby users
Summary: CVE-2013-1856 rubygem-activesupport: jdom: XML Parsing Vulnerability affectin...
Status: CLOSED UPSTREAM
Alias: CVE-2013-1856
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20130318,repor...
Keywords: Security
Depends On: 922925
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-03-14 02:58 UTC by Kurt Seifried
Modified: 2019-06-10 11:00 UTC (History)
1 user (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-10 11:00:20 UTC


Attachments (Terms of Use)
3-0-jdom.patch (4.69 KB, patch)
2013-03-14 20:32 UTC, Kurt Seifried
no flags Details | Diff
3-1-jdom.patch (4.63 KB, patch)
2013-03-14 20:32 UTC, Kurt Seifried
no flags Details | Diff
3-2-jdom.patch (4.63 KB, patch)
2013-03-14 20:32 UTC, Kurt Seifried
no flags Details | Diff

Description Kurt Seifried 2013-03-14 02:58:17 UTC
XML Parsing Vulnerability affecting JRuby users

There is a vulnerability in the JDOM backend to ActiveSupport's XML parser.  This could allow an attacker to perform a denial of service attack or gain access to files stored on the application server.  This vulnerability has been assigned the CVE identifier CVE-2013-1856.

Versions Affected:  3.0.0 and All Later Versions when using JRuby
Not affected:       Applications not using JRuby or JRuby applications not using the JDOM backend.      
Fixed Versions:     3.2.13, 3.1.12

Impact 
------ 
The ActiveSupport XML parsing functionality supports multiple pluggable backends.  One backend supported for JRuby users is ActiveSupport::XmlMini_JDOM which makes use of the javax.xml.parsers.DocumentBuilder class.

In some JVM configurations the default settings of that class can allow an attacker to construct XML which, when parsed, will contain the contents of arbitrary URLs including files from the application server.  They may also allow for various denial of service attacks.

If you are using JRuby and have an affected JVM, you should upgrade or use one of the work arounds immediately.

Releases 
-------- 
The 3.2.13 and 3.1.12 releases are available at the normal locations. 

Workarounds 
----------- 
If you are unable to upgrade, you can place this code in an application initializer to prevent this issue:

  ActiveSupport::XmlMini.backend="REXML"

Patches 
------- 
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-jdom.patch - Patch for 3.2 series 
* 3-1-jdom.patch - Patch for 3.1 series 
* 3-0-jdom.patch - Patch for 3.0 series 

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits 
-------
Thanks to Ben Murphy for reporting this vulnerability to us and working with us to inform other affected libraries and programming languages.

Comment 1 Kurt Seifried 2013-03-14 20:32:07 UTC
Created attachment 710230 [details]
3-0-jdom.patch

Comment 2 Kurt Seifried 2013-03-14 20:32:25 UTC
Created attachment 710231 [details]
3-1-jdom.patch

Comment 3 Kurt Seifried 2013-03-14 20:32:42 UTC
Created attachment 710232 [details]
3-2-jdom.patch

Comment 4 Kurt Seifried 2013-03-16 05:27:28 UTC
Please note that upstream reports that the patches have an issue and will be reissued this weekend most likely so we might need to respin this fix.

Comment 5 Vincent Danen 2013-03-18 19:22:46 UTC
This is public now, patches are attached to the mail.

http://www.openwall.com/lists/oss-security/2013/03/18/4

Comment 6 Vincent Danen 2013-03-18 19:24:07 UTC
Created rubygem-activesupport tracking bugs for this issue

Affects: fedora-all [bug 922925]

Comment 7 Kurt Seifried 2013-03-19 20:57:44 UTC
Please note that these patches were not affected by the upstream changes.

Comment 8 Product Security DevOps Team 2019-06-10 11:00:20 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.


Note You need to log in before you can comment on or make changes to this bug.