Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.2446 CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype definitions. 28 September 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Commons Jelly Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Provide Misleading Information -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2017-12621 - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype definitions. Severity: Medium Vendor: The Apache Software Foundation Versions Affected: commons-jelly-1.0 (core), namely commons-jelly-1.0.jar Description: During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity is declared with a a\x{128}\x{156}SYSTEMa\x{128}\x{157} entity with a URL and that entity is used in the body of the Jelly file, during parser instantiation the parser will attempt to connect to said URL. This could lead to XML External Entity (XXE) attacks. The Open Web Application Security Project suggests that the fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader Mitigation: 1.0 users should migrate to 1.0.1. Example: example.jelly - -------------- <?xml version="1.0"?> <!--- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. - --> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "http://127.0.0.1:4444/"> ]> <r>&sp;</r> <j:jelly trim="false" xmlns:j="jelly:core" xmlns:x="jelly:xml" xmlns:html="jelly:html"> </j:jelly> - -------------- ExampleParser.java - ------------------ public class ExampleParser { public static void main(String[] args) throws JellyException, IOException, NoSuchMethodException, IllegalAccessException,IllegalArgumentException, InvocationTargetException { JellyContext context = new JellyContext(); context.runScript("example.jelly", null); } } Credit: This was discovered by Luca Carettoni of Doyensec. References: [1] http://commons.apache.org/jelly/security-reports.html [2] https://issues.apache.org/jira/browse/JELLY-293 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWcxa/ox+lLeg9Ub1AQjwoQ//Z0Ekzo11lhnYVbrYvAPav8XOdLLmDwPL kX4q5BpemVzbtq/JFbXWch/xb3lyKqSpGD6F5xxeHDidJZRVDHvGHRJR5Ar90gTG 2A1cvcABnCYH91aC2QafUeWoYdlAaIbqVBIJpaU8lQw2d3IqapyFNZYoW3yqmdBM SrpwxuZIP0zN1yTi96vXkIQh06cT7+KZCE/uI17LGPA84zFAUbky8rDLHRbASZgG PmTpIMbEpCmm87A+q5XSTdgsfQsSVCJzVoe0SWqYTpzSS3XkU5R3n0SAr7ySCyZL e0J5hQZU3PjmymFsxW4jBq5gxUWYjnxbRDZ3TaqcVBf468ZGacgdf9fFzb81/QML WM/nC+TZTc5bZaIoexQzdoOS+9okcl2d0+tT73xeYRwUlpV3qIKKOIbK5IrhY1GP J7/il3IETBPOiAhrPAtLcCLN0HjOXhQVoANLri1+7IpovaqoPLtn0+t1EdyuMCB4 M4P7eERXeHU+J5xbCGI2HeIfa/+leU+W/z0Fl82RgKR6dnxqJprplDh8Fm9Licxn epwvVN5XNnsBnWui+Ck6vprj1njpC1M+Dn0TbTFVg7dhN184wOCcGtc+80klD0KR 177OFSdsb/Jp/+zJybCJb/kZbhJDIB4hfKZpGkzC7X9H6UnBkgmn0uP/R9BvHpZp scIk1h8CStY= =WXdN -----END PGP SIGNATURE-----