On Wed, Sep 27, 2017 at 8:29 AM, Benedikt Ritter <brit...@apache.org> wrote:
> I would like to give kudos to Rob for handling this issue. The kind of > dedication you put into fixing this issue and releasing a component that > has not been touched for ages is what I’m looking for in PMC members. > > Great work! > +1 Gary > Benedikt > > > Am 27.09.2017 um 15:05 schrieb Rob Tompkins <chtom...@apache.org>: > > > > CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype > definitions. > > > > Severity: Medium > > > > Vendor: > > The Apache Software Foundation > > > > Versions Affected: > > commons-jelly-1.0 (core), namely commons-jelly-1.0.jar > > > > Description: > > During Jelly (xml) file parsing with Apache Xerces, if a custom doctype > entity is declared with a “SYSTEM” entity with a URL and that entity is > used in the body of the Jelly file, during parser instantiation the parser > will attempt to connect to said URL. This could lead to XML External Entity > (XXE) attacks. The Open Web Application Security Project suggests that the > fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_ > Prevention_Cheat_Sheet#XMLReader > > > > Mitigation: > > 1.0 users should migrate to 1.0.1. > > > > Example: > > > > example.jelly > > -------------- > > <?xml version="1.0"?> > > <!--- > > Licensed to the Apache Software Foundation (ASF) under one or more > > contributor license agreements. See the NOTICE file distributed with > > this work for additional information regarding copyright ownership. > > The ASF licenses this file to You under the Apache License, Version 2.0 > > (the "License"); you may not use this file except in compliance with > > the License. You may obtain a copy of the License at > > http://www.apache.org/licenses/LICENSE-2.0 > > Unless required by applicable law or agreed to in writing, software > > distributed under the License is distributed on an "AS IS" BASIS, > > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > > See the License for the specific language governing permissions and > > limitations under the License. > > --> > > <!DOCTYPE r [ > > <!ELEMENT r ANY > > > <!ENTITY sp SYSTEM "http://127.0.0.1:4444/";> > > ]> > > <r>&sp;</r> > > <j:jelly trim="false" xmlns:j="jelly:core" > > xmlns:x="jelly:xml" > > xmlns:html="jelly:html"> > > </j:jelly> > > -------------- > > > > ExampleParser.java > > ------------------ > > public class ExampleParser { > > > > public static void main(String[] args) throws JellyException, > IOException, > > NoSuchMethodException, > IllegalAccessException,IllegalArgumentException, > > InvocationTargetException { > > JellyContext context = new JellyContext(); > > context.runScript("example.jelly", null); > > } > > } > > > > Credit: > > This was discovered by Luca Carettoni of Doyensec. > > > > References: > > [1] http://commons.apache.org/jelly/security-reports.html > > [2] https://issues.apache.org/jira/browse/JELLY-293 > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
