https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Bug ID: 1578902 Summary: CVE-2018-1259 spring-framework: XXE with Spring Data’s XMLBeam integration Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: dchen@redhat.com, java-sig-commits@lists.fedoraproject.org, lef@fedoraproject.org, puntogil@libero.it
Spring Data Commons, versions 1.13 prior to 1.13.12 and 2.0 prior to 2.0.7, used in combination with XMLBeam 1.4.14 or earlier versions, contains a property binder vulnerability caused by improper restriction of XML external entity references as underlying library XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.
References: https://pivotal.io/security/cve-2018-1259
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Whiteboard|impact=low,public=20180509, |impact=moderate,public=2018 |reported=20180511,source=cv |0509,reported=20180511,sour |e,cvss3=5.6/CVSS:3.0/AV:N/A |ce=cve,cvss3=7.3/CVSS:3.0/A |C:H/PR:N/UI:N/S:U/C:L/I:L/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |:L,cwe=CWE-611,fedora-all/s |I:L/A:L,cwe=CWE-611,fedora- |pringframework=affected |all/springframework=affecte | |d Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |rhel8-maint@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework=affecte |all/springframework=affecte |d |d,rhel-8/springframework=af | |fected
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bkundal@redhat.com, | |bmaxwell@redhat.com, | |cdewolf@redhat.com, | |chazlett@redhat.com, | |csutherl@redhat.com, | |darran.lofthouse@redhat.com | |, dimitris@redhat.com, | |dosoudil@redhat.com, | |jawilson@redhat.com, | |lgao@redhat.com, | |myarboro@redhat.com, | |pgier@redhat.com, | |psakar@redhat.com, | |pslavice@redhat.com, | |rnetuka@redhat.com, | |rsvoboda@redhat.com, | |twalsh@redhat.com, | |vtunka@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework=affecte |all/springframework=affecte |d,rhel-8/springframework=af |d,rhel-8/springframework=af |fected |fected,eap-5/spring=new
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |aileenc@redhat.com, | |alazarot@redhat.com, | |anstephe@redhat.com, | |apevec@redhat.com, | |chrisw@redhat.com, | |dffrench@redhat.com, | |drieden@redhat.com, | |drusso@redhat.com, | |etirelli@redhat.com, | |gvarsami@redhat.com, | |hghasemb@redhat.com, | |ibek@redhat.com, | |jcoleman@redhat.com, | |jjoyce@redhat.com, | |jmadigan@redhat.com, | |jolee@redhat.com, | |jschatte@redhat.com, | |jschluet@redhat.com, | |jshepherd@redhat.com, | |jstastny@redhat.com, | |kbasil@redhat.com, | |kconner@redhat.com, | |kverlaen@redhat.com, | |ldimaggi@redhat.com, | |lgriffin@redhat.com, | |lhh@redhat.com, | |lpeer@redhat.com, | |lpetrovi@redhat.com, | |markmc@redhat.com, | |mburns@redhat.com, | |ngough@redhat.com, | |nwallace@redhat.com, | |paradhya@redhat.com, | |pavelp@redhat.com, | |pszubiak@redhat.com, | |pwright@redhat.com, | |rbryant@redhat.com, | |rrajasek@redhat.com, | |rsynek@redhat.com, | |rwagner@redhat.com, | |rzhang@redhat.com, | |sclewis@redhat.com, | |sdaley@redhat.com, | |sisharma@redhat.com, | |slinaber@redhat.com, | |smohan@redhat.com, | |ssaha@redhat.com, | |tcunning@redhat.com, | |tdecacqu@redhat.com, | |tjay@redhat.com, | |tkirby@redhat.com, | |trepel@redhat.com, | |vbellur@redhat.com, | |vhalbert@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework=affecte |all/springframework=affecte |d,rhel-8/springframework=af |d,rhel-8/springframework=af |fected,eap-5/spring=new |fected,eap-5/spring=new,rhe | |s-3/spring=new,amq-6/spring | |=new,brms-5/spring=new,jdv- | |6/spring=new,fis-2/spring=n | |ew,fuse-7/spring=new,fuse-6 | |/spring=new,fsw-6/spring=ne | |w,soap-5/spring=new,rhmap-4 | |/spring=new,openstack-9/spr | |ing=new,openstack-10/spring | |=new,openstack-11/spring=ne | |w,openstack-12/spring=new,o | |penstack-13/spring=new
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aileenc@redhat.com, | |alazarot@redhat.com, | |anstephe@redhat.com, | |apevec@redhat.com, | |bkundal@redhat.com, | |bmaxwell@redhat.com, | |cdewolf@redhat.com, | |chazlett@redhat.com, | |chrisw@redhat.com, | |csutherl@redhat.com, | |darran.lofthouse@redhat.com | |, dchen@redhat.com, | |dimitris@redhat.com, | |dosoudil@redhat.com, | |drieden@redhat.com, | |etirelli@redhat.com, | |gvarsami@redhat.com, | |ibek@redhat.com, | |jawilson@redhat.com, | |jcoleman@redhat.com, | |jjoyce@redhat.com, | |jolee@redhat.com, | |jschatte@redhat.com, | |jschluet@redhat.com, | |jstastny@redhat.com, | |kbasil@redhat.com, | |kconner@redhat.com, | |kverlaen@redhat.com, | |ldimaggi@redhat.com, | |lef@fedoraproject.org, | |lgao@redhat.com, | |lhh@redhat.com, | |lpeer@redhat.com, | |lpetrovi@redhat.com, | |markmc@redhat.com, | |mburns@redhat.com, | |myarboro@redhat.com, | |nwallace@redhat.com, | |paradhya@redhat.com, | |pavelp@redhat.com, | |pgier@redhat.com, | |psakar@redhat.com, | |pslavice@redhat.com, | |pszubiak@redhat.com, | |rbryant@redhat.com, | |rhel8-maint@redhat.com, | |rnetuka@redhat.com, | |rsvoboda@redhat.com, | |rsynek@redhat.com, | |rwagner@redhat.com, | |rzhang@redhat.com, | |sclewis@redhat.com, | |sdaley@redhat.com, | |sisharma@redhat.com, | |slinaber@redhat.com, | |smohan@redhat.com, | |ssaha@redhat.com, | |tcunning@redhat.com, | |tdecacqu@redhat.com, | |tkirby@redhat.com, | |twalsh@redhat.com, | |vbellur@redhat.com, | |vhalbert@redhat.com, | |vtunka@redhat.com | Fixed In Version|spring-framework 1.13.12, |spring-data-commons |spring-framework 2.0.7 |1.13.12, | |spring-data-commons 2.0.7 Summary|CVE-2018-1259 |CVE-2018-1259 |spring-framework: XXE with |spring-data-commons: XXE |Spring Data’s XMLBeam |with Spring Data’s XMLBeam |integration |integration Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework=affecte |all/springframework-data-co |d,rhel-8/springframework=af |mmons=affected,fis-2/spring |fected,eap-5/spring=new,rhe |-data-commons=new,fuse-7/sp |s-3/spring=new,amq-6/spring |ring-data-commons=new,fuse- |=new,brms-5/spring=new,jdv- |6/spring-data-commons=new,r |6/spring=new,fis-2/spring=n |hmap-4/spring-data-commons= |ew,fuse-7/spring=new,fuse-6 |new |/spring=new,fsw-6/spring=ne | |w,soap-5/spring=new,rhmap-4 | |/spring=new,openstack-9/spr | |ing=new,openstack-10/spring | |=new,openstack-11/spring=ne | |w,openstack-12/spring=new,o | |penstack-13/spring=new |
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1578939
--- Comment #1 from Laura Pardo lpardo@redhat.com --- Created springframework-data-commons tracking bugs for this issue:
Affects: fedora-all [bug 1578939]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1578939 [Bug 1578939] CVE-2018-1259 springframework-data-commons: spring-data-commons: XXE with Spring Data’s XMLBeam integration [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Laura Pardo lpardo@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1578941
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework-data-co |all/springframework-data-co |mmons=affected,fis-2/spring |mmons=affected,fis-2/spring |-data-commons=new,fuse-7/sp |-data-commons=notaffected,f |ring-data-commons=new,fuse- |use-7/spring-data-commons=n |6/spring-data-commons=new,r |ew,fuse-6/spring-data-commo |hmap-4/spring-data-commons= |ns=notaffected,rhmap-4/spri |new |ng-data-commons=new
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework-data-co |all/springframework-data-co |mmons=affected,fis-2/spring |mmons=affected,fis-2/spring |-data-commons=notaffected,f |-data-commons=notaffected,f |use-7/spring-data-commons=n |use-7/spring-data-commons=a |ew,fuse-6/spring-data-commo |ffected,fuse-6/spring-data- |ns=notaffected,rhmap-4/spri |commons=notaffected,rhmap-4 |ng-data-commons=new |/spring-data-commons=new
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0509,reported=20180511,sour |0509,reported=20180511,sour |ce=cve,cvss3=7.3/CVSS:3.0/A |ce=cve,cvss3=7.3/CVSS:3.0/A |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |V:N/AC:L/PR:N/UI:N/S:U/C:L/ |I:L/A:L,cwe=CWE-611,fedora- |I:L/A:L,cwe=CWE-611,fedora- |all/springframework-data-co |all/springframework-data-co |mmons=affected,fis-2/spring |mmons=affected,fis-2/spring |-data-commons=notaffected,f |-data-commons=notaffected,f |use-7/spring-data-commons=a |use-7/spring-data-commons=a |ffected,fuse-6/spring-data- |ffected,fuse-6/spring-data- |commons=notaffected,rhmap-4 |commons=notaffected,rhmap-4 |/spring-data-commons=new |/spring-data-commons=notaff | |ected
--- Comment #3 from Jason Shepherd jshepherd@redhat.com --- Spring Data Commons is used by the Millicore component of RHMAP which does not make use of XMLBeam. Marking RHMAP as not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
claprun@redhat.com claprun@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |claprun@redhat.com
--- Comment #4 from claprun@redhat.com claprun@redhat.com --- Shouldn't this be marked as high as that's how it's marked by Pivotal on its CVE?
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes (text-only advisories)
Via RHSA-2018:1809 https://access.redhat.com/errata/RHSA-2018:1809
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:1809
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.2
Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
https://bugzilla.redhat.com/show_bug.cgi?id=1578902
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:3768
java-sig-commits@lists.stg.fedoraproject.org