1225252 – (CVE-2015-3208) CVE-2015-3208 hornetq: XXE/SSRF in XPath selector

Bug 1225252 (CVE-2015-3208) - CVE-2015-3208 hornetq: XXE/SSRF in XPath selector

Summary: CVE-2015-3208 hornetq: XXE/SSRF in XPath selector

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2015-3208
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1478549 1478550 1478551 1545359
Blocks:	1225253
TreeView+	depends on / blocked

Reported:	2015-05-27 00:40 UTC by Fabio Olive Leite
Modified:	2023-05-12 16:34 UTC (History)
CC List:	47 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-06-16 04:50:53 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2927	0	None	None	None	2018-10-16 15:19:15 UTC

Description Fabio Olive Leite 2015-05-27 00:40:56 UTC

An XXE vulnerability was reported in the XPath component of HornetQ,
which is present in various middleware products.

Comment 2 Fabio Olive Leite 2015-05-27 02:58:03 UTC

Acknowledgements:

Red Hat would like to thank David Jorm of IIX Product Security for reporting this issue.

Comment 5 Kurt Seifried 2015-07-24 04:27:03 UTC

This issue appears to have been fixed in the following commit:

https://github.com/apache/activemq-artemis/commit/48d9951d879e0c8cbb59d4b64ab59d53ef88310d

Comment 6 Clebert Suconic 2017-08-01 20:36:22 UTC

There is no release prior to that commit. Why is this being considered a CVE?

Comment 7 Clebert Suconic 2017-08-01 20:42:20 UTC

There has never been a release of Artemis before that commit. is there any way to challenge the CVE?

Comment 8 Fabio Olive Leite 2017-08-03 20:27:21 UTC

Hi Clebert, I have asked two Product Security engineers to review this flaw and update the metadata if it is indeed incorrect.

Comment 9 Clebert Suconic 2017-08-03 20:48:03 UTC

In HornetQ.. maybe.. but never in Artemis.


I'm not sure this was an issue with hornetq.. as maybe it wasn't released.

Comment 10 Jason Shepherd 2017-08-03 23:08:05 UTC

Kurt, I don't think that that SAM, or Sat 6 could be affected here. The affected code never made it into an release AFAIK. Can you verifying and update the whiteboard on this?

Comment 11 Kurt Seifried 2017-08-04 18:59:06 UTC

Created hornetq tracking bugs for this issue:

Affects: fedora-all [bug 1478551]

Comment 13 errata-xmlrpc 2018-10-16 15:18:59 UTC

This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2018:2927 https://access.redhat.com/errata/RHSA-2018:2927

Comment 14 ecottom 2021-01-15 15:27:50 UTC

(In reply to Clebert Suconic from comment #7)
> There has never been a release of Artemis before that commit. is there any
> way to challenge the CVE?

https://cve.mitre.org/cve/cna/rules.html#appendix_c_process_to_correct_assignment_issues_update_cve_entries

https://cve.mitre.org/about/documents.html
CNA Processes
English: https://cve.mitre.org/cve/cna/CNA_Processes.pptx | https://youtu.be/yLqUMKD2Y9k
Japanese: https://cve.mitre.org/cve/cna/CNA_Processes_ja.pptx

Note You need to log in before you can comment on or make changes to this bug.

aileenc
apintea
bcourt
bkearney
bkundal
bmaxwell
cbillett
cdewolf
chazlett
cpelland
cperry
csuconic
csutherl
dandread
darran.lofthouse
dimitris
dosoudil
ecottom
fgavrilo
fleite
hghasemb
jason.greene
jawilson
jmatthew
jondruse
jshepherd
kseifried
lgao
mmccune
mstead
myarboro
ohadlevy
pgier
pjurak
ppalaga
psakar
pslavice
rnetuka
rstancel
rsvoboda
security-response-team
sstavrev
tjay
tomckay
tsanders
twalsh
vtunka