Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 80357200D0B for ; Wed, 27 Sep 2017 15:05:58 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 7E9A31609CA; Wed, 27 Sep 2017 13:05:58 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id C3E1A1609BC for ; Wed, 27 Sep 2017 15:05:57 +0200 (CEST) Received: (qmail 91229 invoked by uid 500); 27 Sep 2017 13:05:56 -0000 Mailing-List: contact user-help@commons.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Commons Users List" Delivered-To: mailing list user@commons.apache.org Received: (qmail 91199 invoked by uid 99); 27 Sep 2017 13:05:56 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 27 Sep 2017 13:05:56 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id DA65DDDA7F; Wed, 27 Sep 2017 13:05:55 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.482 X-Spam-Level: ** X-Spam-Status: No, score=2.482 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, KAM_BADIPHTTP=2, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id xfDYR0yLt009; Wed, 27 Sep 2017 13:05:54 +0000 (UTC) Received: from mail-qt0-f180.google.com (mail-qt0-f180.google.com [209.85.216.180]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id BE30361039; Wed, 27 Sep 2017 13:05:48 +0000 (UTC) Received: by mail-qt0-f180.google.com with SMTP id b1so13540259qtc.4; Wed, 27 Sep 2017 06:05:48 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:content-transfer-encoding:reply-to :mime-version:subject:date:message-id:cc:to; bh=0HiFdB0Y1jURZKAUi9+kstEyuW8djm2LYHDtHVlIIXg=; b=rn61rCC6lVCxy0FdfKkmrUGc5Z1fzkLLjzimMOsWHWZv9+ZQUhuJogTdWxbDMAh79L HVo2PqkrW2qRtw0XnEQFl1d9h9QM0svHwV2MMqeVqU4gqqzuIFUfrTeA9GMGW/6ogHeH T5lFVMXZByHr54g4bg3Dd3KMnQlJPbmvdirew2w2MA4aoNieXdbWvH90borx3/i1H9fe wKqOcwybB/IWw8WzVqIM3S5kvyBNFZoa1evvge5ydrKfD1FG+/VYWRmlk8p2YgWN7ajW A7/OlNznF4/PTut7gZFthX85cSEExuYExmQiY8EaiESBLvBSJ8tDt6dKb/Qw+ZIZY+EI VahQ== X-Gm-Message-State: AHPjjUiD28v1hhvg65PWASKKu9sGuAYjJ/PT8YWpcII+Voh+NGdE8+Oj V2+NtRt22E/NCutDAX7Lrh0IieaWGJ8= X-Google-Smtp-Source: AOwi7QDufyrbNO/4zSLAuKE6eJ8/cxkpFcWlXvaxxnpF8Mf/m6g0/2PpxoqW6MHJyCf9K9ucWp0s4g== X-Received: by 10.200.27.6 with SMTP id y6mr1725689qtj.247.1506517547795; Wed, 27 Sep 2017 06:05:47 -0700 (PDT) Received: from [172.25.34.97] ([199.244.219.64]) by smtp.gmail.com with ESMTPSA id b27sm8514377qtc.78.2017.09.27.06.05.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 27 Sep 2017 06:05:47 -0700 (PDT) From: Rob Tompkins Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Reply-To: Commons Users List Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: [SECURITY] CVE-2017-12621 Apache Commons Jelly connects to URL with custom doctype definitions. Date: Wed, 27 Sep 2017 09:05:46 -0400 Message-Id: <38CA08B7-2456-4D56-AF60-BE1168ECE522@apache.org> Cc: security@apache.org, "" To: announce@apache.org, Commons Developers List , Commons Users List , Luca Carettoni , oss-security@lists.openwall.com X-Mailer: Apple Mail (2.3273) archived-at: Wed, 27 Sep 2017 13:05:58 -0000 CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype = definitions. Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 (core), namely commons-jelly-1.0.jar Description: During Jelly (xml) file parsing with Apache Xerces, if a custom doctype = entity is declared with a =E2=80=9CSYSTEM=E2=80=9D entity with a URL and = that entity is used in the body of the Jelly file, during parser = instantiation the parser will attempt to connect to said URL. This could = lead to XML External Entity (XXE) attacks. The Open Web Application = Security Project suggests that the fix be = https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat= _Sheet#XMLReader Mitigation: 1.0 users should migrate to 1.0.1. Example: example.jelly -------------- ]> &sp; -------------- ExampleParser.java ------------------ public class ExampleParser { =09 public static void main(String[] args) throws JellyException, = IOException,=20 NoSuchMethodException, = IllegalAccessException,IllegalArgumentException,=20 InvocationTargetException { JellyContext context =3D new JellyContext(); context.runScript("example.jelly", null); } } Credit: This was discovered by Luca Carettoni of Doyensec. References: [1] http://commons.apache.org/jelly/security-reports.html [2] https://issues.apache.org/jira/browse/JELLY-293 --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@commons.apache.org For additional commands, e-mail: user-help@commons.apache.org