Bug 1439520 (CVE-2017-7464) - CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
Summary: CVE-2017-7464 JBoss: JAXP in EAP 7.0 allows info disclosure via XXE
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-7464
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1439976
TreeView+ depends on / blocked
 
Reported: 2017-04-06 07:24 UTC by Jason Shepherd
Modified: 2021-02-17 02:22 UTC (History)
36 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:04:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-10220 0 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.0.5] 2020-06-19 20:04:57 UTC
Red Hat Issue Tracker JBEAP-10221 0 Major Closed CVE-2017-7464 XML Frameworks: JBoss: JAXP in EAP 7.0 allows info disclosure via XXE [eap-7.2.0] 2020-06-19 20:04:57 UTC
Red Hat Issue Tracker WFCORE-2805 0 Major Closed Use Xalan from JRE rather than our own fork 2020-06-19 20:04:57 UTC

Description Jason Shepherd 2017-04-06 07:24:47 UTC 
When parsing XML which does entity expansion the SAXParserFactory used in EAP 7.0.5 expands external entities, even when XMLConstants.FEATURE_SECURE_PROCESSING is set to true.

SAXParserFactory parserFactory = SAXParserFactory.newInstance();
parserFactory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
Comment 9 Jason Shepherd 2017-04-20 00:48:10 UTC 
Acknowledgments:

Name: Jason Shepherd (Red Hat)
Comment 11 Jason Shepherd 2017-05-11 06:36:10 UTC 
Mitigation:

Enable the security features of the DocumentBuilderFactory or SaxParserFactory as described by OWASP:

https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#JAXP_DocumentBuilderFactory.2C_SAXParserFactory_and_DOM4J
Comment 12 Jason Shepherd 2017-05-11 06:55:56 UTC 
I found a workaround for this issue, which was to set:
parserFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
I think we should close this one as WONTFIX. But perhaps we can raise a new issues to get the secure options set by default from EAP 7.1?
Comment 15 Product Security DevOps Team 2019-07-12 13:04:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-7464
Note You need to log in before you can comment on or make changes to this bug.