1148260 – (CVE-2014-3682) CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Bug 1148260 (CVE-2014-3682) - CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Summary: CVE-2014-3682 jbpm-designer: XXE in BPMN2 import

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3682
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1150629 1150630 1150631 1150632 1150633 1150634 1152742 1152743 1152744 1152745 1152746 1152747 1152748 1152749 1152750 1152751 1152820
Blocks:	1148261 1181883
TreeView+	depends on / blocked

Reported:	2014-10-01 05:42 UTC by David Jorm
Modified:	2023-05-12 13:49 UTC (History)
CC List:	28 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	An XML External Entity (XXE) flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.
Clone Of:
Environment:
Last Closed:	2015-02-17 23:33:31 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0234	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss BPM Suite 6.0.3 security update	2015-02-18 03:27:47 UTC
Red Hat Product Errata	RHSA-2015:0235	0	normal	SHIPPED_LIVE	Important: Red Hat JBoss BRMS 6.0.3 security update	2015-02-18 03:27:36 UTC

Description David Jorm 2014-10-01 05:42:48 UTC

An XXE flaw was found in the jbpm-designer BPMN2 import function. A remote attacker could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.

Comment 1 David Jorm 2014-10-01 05:45:47 UTC

Acknowledgements:

This issue was discovered by David Jorm of Red Hat Product Security.

Comment 8 Pavel Polischouk 2015-01-30 16:30:35 UTC

Upstream fixes:

master: https://github.com/droolsjbpm/jbpm-designer/commit/382e43a6a203c547b91eca41dc213da98fdbf3a6
6.2.x: https://github.com/droolsjbpm/jbpm-designer/commit/69d8f6b7a099594bd0536f88d528753875857088

master: https://github.com/droolsjbpm/droolsjbpm-integration/commit/c04255ecbfcc2a50b3ed9407f4fd4570309ac214
6.2.X: https://github.com/droolsjbpm/droolsjbpm-integration/commit/ef500fd8b6d6b84313daa37276dc403f359c2fff

6.0.x
https://github.com/droolsjbpm/jbpm-designer/commit/5641588c730cc75dc3b76c34b76271fbd407fb84
https://github.com/droolsjbpm/jbpm-designer/commit/be3968d51299f6de0011324be60223ede49ecb1c

https://github.com/droolsjbpm/droolsjbpm-integration/commit/2d2074a00d16ad0bb177dbd473c423898b83eb7b
https://github.com/droolsjbpm/droolsjbpm-integration/commit/8a3862ba41d730dcc8a76ae0d86d63c75fd30295

Comment 9 errata-xmlrpc 2015-02-17 22:30:35 UTC

This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 10 errata-xmlrpc 2015-02-17 22:35:09 UTC

This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Note You need to log in before you can comment on or make changes to this bug.

alazarot
bleanhar
ccoleman
dmcphers
etirelli
grocha
jcoleman
jdetiber
jialiu
jkeck
jokerman
kconner
kseifried
kverlaen
lmeyer
lpetrovi
mbaluch
mjc
mmccomas
mwinkler
nwallace
pavelp
pzapataf
rrajasek
rzhang
security-response-team
tkirby
weli