Bug 1110110 (CVE-2014-0225) - CVE-2014-0225 Spring Framework: Information disclosure via SSRF
Summary: CVE-2014-0225 Spring Framework: Information disclosure via SSRF
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1110112 1110113 1110114 1110115 1110116 1110327 1110328 1110329 1110330 1110331 1110332 1110333 1166968 1166969 1166970
Blocks: 1059445 1110111
TreeView+ depends on / blocked
 
Reported: 2014-06-17 05:05 UTC by Arun Babu Neelicattu
Modified: 2021-02-17 06:28 UTC (History)
65 users (show)

Fixed In Version: spring-webmvc-3.2.9.RELEASE, spring-webmvc-4.0.5.RELEASE, spring-oxm-3.2.9.RELEASE, spring-oxm-4.0.5.RELEASE
Doc Type: Bug Fix
Doc Text:
It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
Clone Of:
Environment:
Last Closed: 2016-01-21 20:54:54 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1351 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.1.0 security update 2014-10-01 22:10:39 UTC

Description Arun Babu Neelicattu 2014-06-17 05:05:53 UTC 
When processing user provided XML documents, the Spring Framework did not disable by default the resolution of URI references in a DTD declaration. By observing differences in response times, an attacker could then identify valid IP addresses on the internal network with functioning web servers.

Affects:
Spring MVC 3.0.0 to 3.2.8
Spring MVC 4.0.0 to 4.0.4
Spring OXM 3.0.0 to 3.2.8
Spring OXM 4.0.0 to 4.0.4

Upstream notes that earlier unsupported versions may be affected.

Upstream Bug Report:
https://jira.spring.io/browse/SPR-11768

Upstream Fix:
https://github.com/spring-projects/spring-framework/commit/c6503ebbf7c9e21ff022c58706dbac5417b2b5eb (3.2.9)
https://github.com/spring-projects/spring-framework/commit/8e096aeef55287dc829484996c9330cf755891a1 (4.0.5)

References:
http://www.gopivotal.com/security/cve-2014-0225
Comment 3 Arun Babu Neelicattu 2014-06-17 05:19:41 UTC 
Added to Victims CVE DB [1].

[1] https://github.com/victims/victims-cve-db/blob/master/database/java/2014/0225.yaml
Comment 5 Arun Babu Neelicattu 2014-06-17 12:57:56 UTC 
Created springframework tracking bugs for this issue:

Affects: fedora-all [bug 1110333]
Comment 7 Kurt Seifried 2014-06-25 07:23:18 UTC 
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.
Comment 8 Martin Prpič 2014-09-29 12:05:26 UTC 
IssueDescription:

It was found that the Spring Framework did not, by default, disable the resolution of URI references in a DTD declaration when processing user-provided XML documents. By observing differences in response times, an attacker could identify valid IP addresses on the internal network with functioning web servers.
Comment 9 errata-xmlrpc 2014-10-01 18:11:16 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse/A-MQ 6.1.0

Via RHSA-2014:1351 https://rhn.redhat.com/errata/RHSA-2014-1351.html
Comment 15 Fedora Update System 2015-05-08 07:40:07 UTC 
springframework-3.1.4-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Pavel Polischouk 2015-09-21 17:30:43 UTC 
This bug is part of Product Security work flow and should only be closed by Product Security engineers.
Note You need to log in before you can comment on or make changes to this bug.