When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. By observing differences in response times, an attacker could then identify valid IP addresses on the internal network with functioning web servers. Affects: Spring MVC 3.0.0 to 3.2.8 Spring MVC 4.0.0 to 4.0.4 Spring OXM 3.0.0 to 3.2.8 Spring OXM 4.0.0 to 4.0.4 Upstream notes that earlier unsupported versions may be affected. Upstream Bug Report: https://jira.spring.io/browse/SPR-11768 Upstream Fix: https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb (3.2.9) https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1 (4.0.5) References: http://www.gopivotal.com/security/cve-2014-0225
Added to Victims CVE DB [1]. [1] https://github.com/victims/victims-cve-db/blob/master/database/java/2014/0225.yaml
Created springframework tracking bugs for this issue: Affects: fedora-all [bug 1110333]
Statement: Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/site/support/policy/updates/openshift.
IssueDescription: It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
This issue has been addressed in the following products: Red Hat JBoss Fuse/A-MQ 6.1.0 Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
springframework-3.1.4-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This bug is part of Product Security work flow and should only be closed by Product Security engineers.