Bug 1148260 (CVE-2014-3682) - CVE-2014-3682 jbpm-designer: XXE in BPMN2 import
Summary: CVE-2014-3682 jbpm-designer: XXE in BPMN2 import
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3682
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1150629 Red Hat1150630 Red Hat1150631 Red Hat1150632 Red Hat1150633 Red Hat1150634 Red Hat1152742 Red Hat1152743 Red Hat1152744 Red Hat1152745 Red Hat1152746 Red Hat1152747 Red Hat1152748 Red Hat1152749 Red Hat1152750 Red Hat1152751 Red Hat1152820
Blocks: Embargoed1148261 Embargoed1181883
TreeView+ depends on / blocked
 
Reported: 2014-10-01 05:42 UTC by David Jorm
Modified: 2023-05-12 13:49 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
An XML External Entity (XXE) flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed: 2015-02-17 23:33:31 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0234 0 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 0 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC

Description David Jorm 2014-10-01 05:42:48 UTC 
An XXE flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Comment 1 David Jorm 2014-10-01 05:45:47 UTC 
Acknowledgements:

This issue was discovered by David Jorm of Red Hat Product Security.
Comment 8 Pavel Polischouk 2015-01-30 16:30:35 UTC 
Upstream fixes:

master: https://github.com/droolsjbpm/jbpm-designer/commit/382e43a6a203c547b91eca41dc213da98fdbf3a6
6.2.x: https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088

master: https://github.com/droolsjbpm/droolsjbpm-integration/commit/c04255ecbfcc2a50b3ed9407f4fd4570309ac214
6.2.X: https://github.com/droolsjbpm/droolsjbpm-integration/commit/ef500fd8b6d6b84313daa37276dc403f359c2fff

6.0.x
https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84
https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c

https://github.com/droolsjbpm/droolsjbpm-integration/commit/2d2074a00d16ad0bb177dbd473c423898b83eb7b
https://github.com/droolsjbpm/droolsjbpm-integration/commit/8a3862ba41d730dcc8a76ae0d86d63c75fd30295
Comment 9 errata-xmlrpc 2015-02-17 22:30:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
Comment 10 errata-xmlrpc 2015-02-17 22:35:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
Note You need to log in before you can comment on or make changes to this bug.