It was reported [1] that the Spring Framework suffered from several XML External Entity (XXE) flaws: Versions Affected: - 3.0.0 to 3.2.3 (Spring OXM) - 3.2.0 to 3.2.3 (Spring MVC) - 4.0.0.M1 (Spring OXM) - 4.0.0.M1-4.0.0.M2 (Spring MVC) - Earlier unsupported versions may also be affected Description: The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: - DOMSource - StAXSource - SAXSource - StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. Mitigation: Users of affected versions should apply the following mitigation: - Users of 3.x should upgrade to 3.2.4 or later - Users of 4.x should upgrade to 4.0.0.RC1 or later once released Note the Spring OXM issue is fixed in 4.0.0.M2 [1] http://seclists.org/bugtraq/2013/Aug/154 External References: http://www.gopivotal.com/security/cve-2013-4152 https://github.com/SpringSource/spring-framework/pull/317 https://jira.springsource.org/browse/SPR-10806
Further information on this was recently posted: http://seclists.org/fulldisclosure/2013/Nov/14
This issue has been split, MITRE has provided the following guidance on CVE names: Common Vulnerabilities and Exposures assigned an identifier CVE-2013-4152 to the following vulnerability: Name: CVE-2013-4152 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4152 Assigned: 20130612 Reference: http://seclists.org/bugtraq/2013/Aug/154 Reference: http://seclists.org/fulldisclosure/2013/Nov/14 Reference: http://www.gopivotal.com/security/cve-2013-4152 Reference: https://github.com/spring-projects/spring-framework/pull/317/files Reference: https://jira.springsource.org/browse/SPR-10806 The Spring OXM wrapper in Spring Framework before 3.2.4 and 4.0.0.M1, when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue. Common Vulnerabilities and Exposures assigned an identifier CVE-2013-7315 to the following vulnerability: Name: CVE-2013-7315 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7315 Assigned: 20140123 Reference: http://seclists.org/bugtraq/2013/Aug/154 Reference: http://seclists.org/fulldisclosure/2013/Nov/14 Reference: http://www.gopivotal.com/security/cve-2013-4152 Reference: https://jira.springsource.org/browse/SPR-10806 The Spring MVC in Spring Framework 3.2.x before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2014:0212 https://rhn.redhat.com/errata/RHSA-2014-0212.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 2.0 Via RHSA-2014:0245 https://rhn.redhat.com/errata/RHSA-2014-0245.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise 1.2 Via RHSA-2014:0254 https://rhn.redhat.com/errata/RHSA-2014-0254.html
This issue has been addressed in following products: Red Hat JBoss AM-Q 6.1.0 Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
This issue has been addressed in following products: Red Hat JBoss Fuse 6.1.0 Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html