Return-Path: <notifications-return-37892-archive-asf-public=cust-asf.ponee.io@accumulo.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 79E63200BE8
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Fri,  9 Dec 2016 04:37:00 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 7869F160B27; Fri,  9 Dec 2016 03:37:00 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id E5EF0160B1F
	for <archive-asf-public@cust-asf.ponee.io>; Fri,  9 Dec 2016 04:36:59 +0100 (CET)
Received: (qmail 39681 invoked by uid 500); 9 Dec 2016 03:36:58 -0000
Mailing-List: contact notifications-help@accumulo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:notifications-help@accumulo.apache.org>
List-Unsubscribe: <mailto:notifications-unsubscribe@accumulo.apache.org>
List-Post: <mailto:notifications@accumulo.apache.org>
List-Id: <notifications.accumulo.apache.org>
Reply-To: jira@apache.org
Delivered-To: mailing list notifications@accumulo.apache.org
Received: (qmail 39670 invoked by uid 99); 9 Dec 2016 03:36:58 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Dec 2016 03:36:58 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 6C45E2C0086
	for <notifications@accumulo.apache.org>; Fri,  9 Dec 2016 03:36:58 +0000 (UTC)
Date: Fri, 9 Dec 2016 03:36:58 +0000 (UTC)
From: "Josh Elser (JIRA)" <jira@apache.org>
To: notifications@accumulo.apache.org
Message-ID: <JIRA.13026864.1481254563000.480008.1481254618319@Atlassian.JIRA>
In-Reply-To: <JIRA.13026864.1481254563000@Atlassian.JIRA>
References: <JIRA.13026864.1481254563000@Atlassian.JIRA> <JIRA.13026864.1481254563434@arcas>
Subject: [jira] [Created] (ACCUMULO-4534) Remove XML external entity issue
 in RestoreZooKeeper
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Fri, 09 Dec 2016 03:37:00 -0000

Josh Elser created ACCUMULO-4534:
------------------------------------

             Summary: Remove XML external entity issue in RestoreZooKeeper
                 Key: ACCUMULO-4534
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4534
             Project: Accumulo
          Issue Type: Bug
            Reporter: Josh Elser
            Assignee: Josh Elser
             Fix For: 1.7.3, 1.8.1, 2.0.0


There appears to be an issue in RestoreZooKeeper in which the tool may, with specially crafted XML, load external files on the system. I'm not going the normal vulnerability route with this because the command is executed by a user on an XML file they provide (so, the vector is that you attacked yourself out of ignorance).

However, it would still be good to remove this as a possibility since it's very simple. This was found by a static analysis tool.

For more info, https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet is a good writeup.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)