An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request. References: https://alephsecurity.com/vulns/aleph-2021003 http://jdom.org/news/index.html Upstream patch: https://github.com/hunterhacker/jdom/pull/188
Created javapackages-bootstrap tracking bugs for this issue: Affects: fedora-all [bug 1973415] Created javapackages-tools tracking bugs for this issue: Affects: fedora-all [bug 1973416] Created jdom2 tracking bugs for this issue: Affects: fedora-all [bug 1973414]
Created javapackages-bootstrap:202001/jdom2 tracking bugs for this issue: Affects: fedora-all [bug 1973557] Created javapackages-tools:202001/jdom2 tracking bugs for this issue: Affects: fedora-all [bug 1973558]
FYI - In jdom (not jdom2), it seems that this vulnerable functionality is in the setFeaturesAndProperties() private method, but in jdom2, it was moved into configureParser() and setFeaturesAndProperties() was removed. E.G. older code from jdom-1.1.3: ``` private void setFeaturesAndProperties(XMLReader parser, boolean coreFeatures) throws JDOMException { Iterator iter = this.features.keySet().iterator(); while (iter.hasNext()) { String name = iter.next(); Boolean value = (Boolean)this.features.get(name); internalSetFeature(parser, name, value.booleanValue(), name); } iter = this.properties.keySet().iterator(); while (iter.hasNext()) { String name = iter.next(); internalSetProperty(parser, name, this.properties.get(name), name); } if (coreFeatures) { try { internalSetFeature(parser, "http://xml.org/sax/features/validation", this.validate, "Validation"); } catch (JDOMException e) { if (this.validate) throw e; } internalSetFeature(parser, "http://xml.org/sax/features/namespaces", true, "Namespaces"); internalSetFeature(parser, "http://xml.org/sax/features/namespace-prefixes", true, "Namespace prefixes"); } try { if (parser.getFeature("http://xml.org/sax/features/external-general-entities") != this.expand) parser.setFeature("http://xml.org/sax/features/external-general-entities", this.expand); } catch (SAXNotRecognizedException sAXNotRecognizedException) { } catch (SAXNotSupportedException sAXNotSupportedException) {} } private void internalSetFeature(XMLReader parser, String feature, boolean value, String displayName) throws JDOMException { try { parser.setFeature(feature, value); } catch (SAXNotSupportedException e) { throw new JDOMException(displayName + " feature not supported for SAX driver " + parser .getClass().getName()); } catch (SAXNotRecognizedException e) { throw new JDOMException(displayName + " feature not recognized for SAX driver " + parser .getClass().getName()); } } ```
This issue has been addressed in the following products: RHINT Camel-K 1.6.4 Via RHSA-2022:1029 https://access.redhat.com/errata/RHSA-2022:1029
This issue has been addressed in the following products: RHPAM 7.12.1 Via RHSA-2022:1108 https://access.redhat.com/errata/RHSA-2022:1108
This issue has been addressed in the following products: RHDM 7.12.1 Via RHSA-2022:1110 https://access.redhat.com/errata/RHSA-2022:1110
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-33813
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532