[Bug 1764658] New: CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Bug ID: 1764658 Summary: CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: psampaio@redhat.com CC: agrimm@gmail.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, caolanm@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, gvarsami@redhat.com, ibek@redhat.com, i.gnatenko.brain@gmail.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jcoleman@redhat.com, jhrozek@redhat.com, jochrist@redhat.com, jolee@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, ldimaggi@redhat.com, lef@fedoraproject.org, lgao@redhat.com, loleary@redhat.com, lthon@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pgallagh@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, sdaley@redhat.com, smaestri@redhat.com, spinder@redhat.com, ssorce@redhat.com, sthorger@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, tom.jenkinson@redhat.com, trogers@redhat.com, twalsh@redhat.com, veillard@redhat.com, vhalbert@redhat.com Target Milestone: --- Classification: Other
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.
References:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&mod... https://lists.apache.org/thread.html/8e814b925bf580bc527d96ff51e72ffe5bdeaa4... https://lists.apache.org/thread.html/edaa7edb9c58e5f5bd0c950f2b6232b62b15f5c... https://security.netapp.com/advisory/ntap-20190910-0003/
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1764659, 1764660, 1764661
--- Comment #1 from Pedro Sampaio psampaio@redhat.com --- Created xml-security tracking bugs for this issue:
Affects: epel-all [bug 1764660] Affects: fedora-all [bug 1764659]
Created xmlsec1 tracking bugs for this issue:
Affects: fedora-all [bug 1764661]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1764659 [Bug 1764659] CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764660 [Bug 1764660] CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764661 [Bug 1764661] CVE-2019-12400 xmlsec1: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1764662
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|i.gnatenko.brain@gmail.com, | |ssorce@redhat.com, | |veillard@redhat.com |
--- Comment #2 from Pedro Sampaio psampaio@redhat.com --- removed xmlsec1 from affects as I found out its a completely not related package.
https://bugzilla.redhat.com/show_bug.cgi?id=1764658 Bug 1764658 depends on bug 1764661, which changed state.
Bug 1764661 Summary: CVE-2019-12400 xmlsec1: xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764661
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |NOTABUG
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #3 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Enterprise Application Platform 5 * Red Hat JBoss Operations Network 3 * Red Hat JBoss BRMS 5 * Red Hat JBoss SOA Platform 5
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #5 from Paramvir jindal pjindal@redhat.com --- RHSSO 7.3.4 ships xmlsec-2.1.2.redhat-00001.jar so seems to be affected as per the description: rhsso-7.3/modules/system/layers/base/org/apache/santuario/xmlsec/main/xmlsec-2.1.2.redhat-00001.jar
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #9 from Kunjan Rathod krathod@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse Service Works 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |xmlsec 2.1.4
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #13 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2020:0811 https://access.redhat.com/errata/RHSA-2020:0811
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0811
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #14 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2020:0806 https://access.redhat.com/errata/RHSA-2020:0806
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0806
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #15 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2020:0804 https://access.redhat.com/errata/RHSA-2020:0804
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0804
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2020:0805 https://access.redhat.com/errata/RHSA-2020:0805
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0805
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-03-12 22:31:54
--- Comment #17 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-12400
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Single Sign-On
Via RHSA-2020:0951 https://access.redhat.com/errata/RHSA-2020:0951
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:0951
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2020:2067 https://access.redhat.com/errata/RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2067
https://bugzilla.redhat.com/show_bug.cgi?id=1764658 Bug 1764658 depends on bug 1764659, which changed state.
Bug 1764659 Summary: CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764659
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.7.0
Via RHSA-2020:3192 https://access.redhat.com/errata/RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1764658
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3192
https://bugzilla.redhat.com/show_bug.cgi?id=1764658 Bug 1764658 depends on bug 1764660, which changed state.
Bug 1764660 Summary: CVE-2019-12400 xml-security: Apache Santuario potentially loads XML parsing code from an untrusted source [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1764660
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com