From dev-return-16574-archive-asf-public=cust-asf.ponee.io@syncope.apache.org Tue Nov 6 10:06:05 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id DF84A1807A1 for ; Tue, 6 Nov 2018 10:06:04 +0100 (CET) Received: (qmail 49951 invoked by uid 500); 6 Nov 2018 09:06:03 -0000 Mailing-List: contact dev-help@syncope.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@syncope.apache.org Delivered-To: mailing list dev@syncope.apache.org Received: (qmail 49911 invoked by uid 99); 6 Nov 2018 09:06:03 -0000 Received: from mail-relay.apache.org (HELO mailrelay1-lw-us.apache.org) (207.244.88.152) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 06 Nov 2018 09:06:03 +0000 Received: from [192.168.0.3] (smtp.tirasa.net [93.34.9.207]) by mailrelay1-lw-us.apache.org (ASF Mail Server at mailrelay1-lw-us.apache.org) with ESMTPSA id 8FBAE1727; Tue, 6 Nov 2018 09:06:01 +0000 (UTC) From: =?UTF-8?Q?Francesco_Chicchiricc=c3=b2?= Subject: [SECURITY] CVE-2018-17186 Apache Syncope Reply-To: user@syncope.apache.org To: dev@syncope.apache.org, "user@syncope.apache.org" , announce@apache.org, Joan Bono , oss-security@lists.openwall.com, "security@apache.org" , Joan Bono Openpgp: preference=signencrypt Autocrypt: addr=ilgrosso@apache.org; prefer-encrypt=mutual; keydata= xsBNBE9EncsBCAC02uAixULU/lI6u7y2a4hPLZ+J9eb1ZNVrg4iockEktP39C8zsve4rxltc 9SnT5wa2XwVTwiSl8HjxFGmc/CyMP4l+JLYLqAxvN25BXzoC7pvIpH5VcXMnTKP2bqIcIQ3H bR2gLxjxlEzRBgmzsnrtNWhlCi4DNuUcarMrzaWbQkW5DiieW/V7BNEKw7L/WESXWbXTC9zj vyf9JQ/Ql3ys7n7y+/C7nnnnRys9kJahJkYbiLasJTxRMm/ENjzwamE1s2khxNDhYXmeXyUf PYDv46rVP39TNNbecG9EuHbZZ1pRRSkGZJZnpWBu0O6VWOfn0aF2rR5mfbGHsQA8CQWlABEB AAHNOEZyYW5jZXNjbyBDaGljY2hpcmljY8OyIChpbGdyb3NzbykgPGlsZ3Jvc3NvQGFwYWNo ZS5vcmc+wsB4BBMBAgAiBQJPRJ3LAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBr QxPtJz3yh5j3B/46VEpC62uq3wiwDaUYI2fl6DYjlAuSGbI9Q7Avxpz+yDieaPE7Q3C19Xx+ wTFrHyPOswbltmT5KDNqEpe5C9IpqoSyu7UIkqHtlXTxhsu+rFWpfABnI4sfQ0ui1VOLN3JB xG7G8PHCmIdYThSCRoM14u4KSU1ytd3SFtOpNLVU5TVBGm+aJWOu++XPSICn97101ndn8AJm JDTlHQwqMzpQTejLQnv020SouLq5cB2O6HSuSmSDpctFCdYkYLzHA6p3WzKgVXt9c3CV7Zhf w/XufaqXQQIkr1VLN/l13PlbPPnLluzPO+agDuCsJReFzF2JwxJYBLUIu0T8A+yrfTIzzsBN BE9EncsBCADQrFXb7lIhSSaTIkNnE987DGgLn9QRUEvSa+132lWcZYx+knLehdH0++F/cqUc 2KT17anzbOidGo0rvxwj5s42NV3lOUWIFBM7pUCwN2ef2CM3TVwA+/WrKGRFq/+cwAhSfDoc jtN4+vYd4NbIgzSA7ZuoaT4vKRpBex0fAN2J8tLOzXSbXdsoWRj4pVBnJ0N6WHRlaqLQnQ7o F1E6ZrNREMWasjxRuZ38mlpfbArnqw+lAbHL6T/BsKXOEjASe5iOPN9r95HW6dH1vmef1mOk /Pu6wr+eIcqwPIBUQRvHw5UnOrMugUf1ohgnx2NvggLOSlvgGBnZo47MphpOd5DVABEBAAHC wF8EGAECAAkFAk9EncsCGwwACgkQa0MT7Sc98oeFHggAro4b3tGyKCV7tMz8q9drqigl/6n+ /2riaumndUcPFZOsewDmg/75jszjc6hoe7wreBkJi0u8kvm6F0RpIlGk5WpCa7bljEc6Erm9 GLON/DoYn1MSpdMZdwucairqvMK1YWg/7wI/xjgq6br5FBoLegVE8bd3Iy4SVWKUIRURBF7q Ft3rVRUJdcmqHvCWpxDJ1VKPRDHf5szVkWXFJI0xiU6KuICWidZ9Hg3WXUsm3SePD7FtokiK 0Y9SBzHpd9EZe8KRIHekl5gVS2Xe83GC5GvPHEXE0usYUNRDArOXqIkGUCWHZ7gzueMBcWqW x+uxeS7bQfZZO/7ew7lIDf4gYA== Message-ID: Date: Tue, 6 Nov 2018 10:05:59 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1 MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="EYr382muhHP8elDjOsqFZTuVDHqoSy3DQ" --EYr382muhHP8elDjOsqFZTuVDHqoSy3DQ Content-Type: multipart/mixed; boundary="tJc1fcnmATymUPUNkMLtmewSQ9bRZbWEn"; protected-headers="v1" From: =?UTF-8?Q?Francesco_Chicchiricc=c3=b2?= Reply-To: user@syncope.apache.org To: dev@syncope.apache.org, "user@syncope.apache.org" , announce@apache.org, Joan Bono , oss-security@lists.openwall.com, "security@apache.org" , Joan Bono Message-ID: Subject: [SECURITY] CVE-2018-17186 Apache Syncope --tJc1fcnmATymUPUNkMLtmewSQ9bRZbWEn Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Language: en-US CVE-2018-17186: XXE on BPMN definitions Description: An administrator with workflow definition entitlements can use DTD to=20 perform malicious operations, including but not limited to file read,=20 file write, and code execution. Severity: Medium Vendor: The Apache Software Foundation Affects: Releases prior to 2.1.2 Releases prior to 2.0.11 The unsupported Releases 1.2.x may be also affected. Solution: 2.0.X users should upgrade to 2.0.11 2.1.X users should upgrade to 2.1.2 Mitigation: Do not assign workflow definition entitlements to any administrator. Credit: This issue was discovered by =EF=BB=BFKevin Borras Soler and Joan Bono. References: https://syncope.apache.org/security --tJc1fcnmATymUPUNkMLtmewSQ9bRZbWEn-- --EYr382muhHP8elDjOsqFZTuVDHqoSy3DQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEb2K9BvzoTXdCSE68a0MT7Sc98ocFAlvhWXcACgkQa0MT7Sc9 8of6JAf/ZDZ6e4ktzyt+1TvNuh3FXokMCuWI13vyJdGIaiW/e5Ru3yIHznpCsdNm ccnf7uR50o4FQSlX4mX9uwiPEb7+lfOefrMMGDyemQNtqjIZ6p23Y6SwCwNYwrU1 yqlMlTBTinUPay2Y2kl6eYT24OPM5Kq5xQ78QQISUrvV68cqCZGAmhTfjc/TmWBX VpE7J8WLJVKLzmeYu1TSEdH9yyzliI/XIVcgeW7BHfm8IYaEvTww9J9O3PH3Y/XN pQZ/UBtoAh+aBySdkXTUmEf/0/FsPhRLHxpN1rK7WxjJaXIYSr156siVrfcUk2m6 Vk2wtyTDFbjKKFa1+5fs7AH2UmT8vA== =12Tz -----END PGP SIGNATURE----- --EYr382muhHP8elDjOsqFZTuVDHqoSy3DQ--