1663857 – (CVE-2018-11788) CVE-2018-11788 karaf: XML external entity processing

Bug 1663857 (CVE-2018-11788) - CVE-2018-11788 karaf: XML external entity processing

Summary: CVE-2018-11788 karaf: XML external entity processing

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-11788
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1665863 1665864 1665865 1665866 1666164
Blocks:	1663858
TreeView+	depends on / blocked

Reported:	2019-01-07 08:41 UTC by Andrej Nemec
Modified:	2021-10-25 09:51 UTC (History)
CC List:	10 users (show)
Fixed In Version:	karaf 4.1.7, karaf 4.2.2
Clone Of:
Environment:
Last Closed:	2021-10-25 09:51:16 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2019-01-07 08:41:22 UTC

It was found that Apache Karaf XMLInputFactory class doesn't contain any mitigation codes against XXE. This is a potential security risk as an user can inject external XML entities.

Upstream patch:

https://gitbox.apache.org/repos/asf?p=karaf.git;h=cc3332e

References:

https://issues.apache.org/jira/browse/KARAF-5911

Comment 14 Summer Long 2020-12-22 05:20:28 UTC

Statement:

Red Hat OpenStack Platform: Karaf is used by RHOSP's OpenDaylight, and this flaw impacts the loading of XML documents within Karaf, allowing arbitrary XML to be injected into parsed documents. The impact of this vulnerability is reduced in OpenDaylight, given karaf is an administrative component and not normally exposed to public networks or non-privileged users, and therefore will not be fixed at this time.

Fuse 7:
The impact of this vulnerability is reduced, as exploiting it would require a authenticated user, and no unsecured endpoints are exposed to the network

Note You need to log in before you can comment on or make changes to this bug.