Bug 1443585 (CVE-2017-5661) - CVE-2017-5661 fop: XML external entity processing vulnerability
Summary: CVE-2017-5661 fop: XML external entity processing vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-5661
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1472048
Blocks: 1443594
TreeView+ depends on / blocked
 
Reported: 2017-04-19 14:05 UTC by Andrej Nemec
Modified: 2021-10-27 10:52 UTC (History)
26 users (show)

Fixed In Version: fop 2.2
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 10:52:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-04-19 14:05:49 UTC 
In Apache FOP before 2.2, files lying on the filesystem of the server which uses FOP can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.

References:

https://xmlgraphics.apache.org/security.html
http://seclists.org/oss-sec/2017/q2/86
Comment 2 Stefan Cornelius 2017-07-05 12:48:55 UTC 
Upstream bug report:
https://issues.apache.org/jira/browse/FOP-2668

Patch:
http://svn.apache.org/viewvc?view=revision&revision=1769967
Comment 5 Doran Moppert 2018-04-26 07:42:19 UTC 
Statement:

The fop packager is no longer used or required by the Red Hat Virtualization Manager. Red Hat recommends removing it after upgrading to Red Hat Virtualization 4.1.
Note You need to log in before you can comment on or make changes to this bug.