Bug 1045257 (CVE-2013-4517) - CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS Attack
Summary: CVE-2013-4517 Apache Santuario XML Security for Java: Java XML Signature DoS ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4517
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1045275 1045276 1045277 1045278 1045279 1045287 1045288 1157992 1161380 1161381 1161382 1161384 1161385 1161386 1161387 1161388 1161389 1161390 1161391 1161392 1161395
Blocks: 1045272 1050810 1055846 1087103 1089812 1102439 1150823 1200191 1210482
TreeView+ depends on / blocked
 
Reported: 2013-12-20 03:14 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 07:03 UTC (History)
40 users (show)

Fixed In Version: xml-security 1.5.6
Doc Type: Bug Fix
Doc Text:
It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.
Clone Of:
Environment:
Last Closed: 2015-05-01 20:14:38 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0170 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 update 2014-02-13 23:34:17 UTC
Red Hat Product Errata RHSA-2014:0171 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 update 2014-02-13 23:33:33 UTC
Red Hat Product Errata RHSA-2014:0172 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 update 2014-02-13 23:33:27 UTC
Red Hat Product Errata RHSA-2014:0195 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Portal 6.1.1 update 2014-02-20 22:22:16 UTC
Red Hat Product Errata RHSA-2014:0400 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse 6.1.0 update 2014-04-14 18:27:37 UTC
Red Hat Product Errata RHSA-2014:0473 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.2.1 update 2014-05-06 22:01:24 UTC
Red Hat Product Errata RHSA-2014:0582 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss SOA Platform 5.3.1 update 2014-05-30 00:26:23 UTC
Red Hat Product Errata RHSA-2014:1725 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-10-28 19:51:25 UTC
Red Hat Product Errata RHSA-2014:1726 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-10-28 20:01:49 UTC
Red Hat Product Errata RHSA-2014:1727 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-10-28 20:01:44 UTC
Red Hat Product Errata RHSA-2014:1728 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-10-28 20:01:33 UTC
Red Hat Product Errata RHSA-2015:0675 0 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0850 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC

Description Arun Babu Neelicattu 2013-12-20 03:14:01 UTC
The Apache Santuario XML Security for Java project is vulnerable to a Denial
of Service (DoS) type attack leading to an OutOfMemoryError, which is caused
by allowing Document Type Definitions (DTDs) when applying Transforms.

References:
https://cwiki.apache.org/confluence/download/attachments/27821224/cve-2013-4517.txt.asc
http://svn.apache.org/viewvc?view=revision&revision=1537956

Comment 3 Arun Babu Neelicattu 2013-12-20 05:40:47 UTC
As per http://coheigea.blogspot.com.au/2013/12/security-advisory-cve-2013-4517-released.html

> This issue is fixed (when secure validation is enabled) in Apache Santuario XML Security for Java 1.5.6. This release is picked up by new releases of Apache WSS4J (1.6.13), and Apache CXF (2.7.8 and 2.6.11).

Comment 10 errata-xmlrpc 2014-02-13 18:38:38 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0172 https://rhn.redhat.com/errata/RHSA-2014-0172.html

Comment 11 errata-xmlrpc 2014-02-13 18:39:50 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 6
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0171 https://rhn.redhat.com/errata/RHSA-2014-0171.html

Comment 12 errata-xmlrpc 2014-02-13 18:41:36 UTC
This issue has been addressed in following products:

  JBEAP 6 for RHEL 5
  JBEAP 6.2 for RHEL 5

Via RHSA-2014:0170 https://rhn.redhat.com/errata/RHSA-2014-0170.html

Comment 13 errata-xmlrpc 2014-02-20 17:23:29 UTC
This issue has been addressed in following products:

  Red Hat JBoss Portal 6.1.1

Via RHSA-2014:0195 https://rhn.redhat.com/errata/RHSA-2014-0195.html

Comment 14 Chess Hazlett 2014-04-15 02:39:14 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html

Comment 15 errata-xmlrpc 2014-05-06 18:02:19 UTC
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0473 https://rhn.redhat.com/errata/RHSA-2014-0473.html

Comment 16 errata-xmlrpc 2014-05-29 20:29:18 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 5.3.1

Via RHSA-2014:0582 https://rhn.redhat.com/errata/RHSA-2014-0582.html

Comment 17 Arun Babu Neelicattu 2014-10-28 08:32:32 UTC
Statement:

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4, Fuse Mediation Router 2.7, 2.8 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Fuse ESB Enterprise is now in Maintenance Support phase receiving only qualified Important and Critical impact security fixes. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Red Hat JBoss BRMS 5; Red Hat JBoss Enterprise Application Platform 4;  Red Hat JBoss Enterprise Data Services Platform 5; Red Hat JBoss Enterprise Portal Platform 4 and 5; and Red Hat JBoss Enterprise SOA Platform 4 and 5 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Comment 19 Arun Babu Neelicattu 2014-10-28 08:34:16 UTC
Victims Record:

https://github.com/victims/victims-cve-db/blob/master/database/java/2013/4517.yaml

Comment 20 Arun Babu Neelicattu 2014-10-28 08:42:23 UTC
Created xml-security tracking bugs for this issue:

Affects: fedora-all [bug 1157992]

Comment 21 errata-xmlrpc 2014-10-28 15:51:34 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:1725 https://rhn.redhat.com/errata/RHSA-2014-1725.html

Comment 22 errata-xmlrpc 2014-10-28 16:02:11 UTC
This issue has been addressed in the following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4

Via RHSA-2014:1728 https://rhn.redhat.com/errata/RHSA-2014-1728.html

Comment 23 errata-xmlrpc 2014-10-28 16:02:45 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:1727 https://rhn.redhat.com/errata/RHSA-2014-1727.html

Comment 24 errata-xmlrpc 2014-10-28 16:02:49 UTC
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4

Via RHSA-2014:1726 https://rhn.redhat.com/errata/RHSA-2014-1726.html

Comment 25 Martin Prpič 2014-10-29 12:28:29 UTC
IssueDescription:

It was discovered that the Apache Santuario XML Security for Java project allowed Document Type Definitions (DTDs) to be processed when applying Transforms even when secure validation was enabled. A remote attacker could use this flaw to exhaust all available memory on the system, causing a denial of service.

Comment 26 Fedora Update System 2014-11-07 02:30:00 UTC
xml-security-1.5.7-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 28 Fedora Update System 2014-11-10 06:06:02 UTC
xml-security-1.5.7-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 34 errata-xmlrpc 2015-03-11 16:52:03 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 35 errata-xmlrpc 2015-04-16 16:03:58 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html

Comment 36 errata-xmlrpc 2015-04-16 16:08:33 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html


Note You need to log in before you can comment on or make changes to this bug.