Just glad to help. And, it was fun to learn the CVE process. -Rob
> On Sep 27, 2017, at 2:25 PM, Pascal Schumacher <pascalschumac...@gmx.net> > wrote: > > I agree this required a lot of dedication/work. > > Thanks Rob! > > Am 27.09.2017 um 16:29 schrieb Benedikt Ritter: >> I would like to give kudos to Rob for handling this issue. The kind of >> dedication you put into fixing this issue and releasing a component that has >> not been touched for ages is what I’m looking for in PMC members. >> >> Great work! >> Benedikt >> >>> Am 27.09.2017 um 15:05 schrieb Rob Tompkins <chtom...@apache.org>: >>> >>> CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype >>> definitions. >>> >>> Severity: Medium >>> >>> Vendor: >>> The Apache Software Foundation >>> >>> Versions Affected: >>> commons-jelly-1.0 (core), namely commons-jelly-1.0.jar >>> >>> Description: >>> During Jelly (xml) file parsing with Apache Xerces, if a custom doctype >>> entity is declared with a “SYSTEM” entity with a URL and that entity is >>> used in the body of the Jelly file, during parser instantiation the parser >>> will attempt to connect to said URL. This could lead to XML External Entity >>> (XXE) attacks. The Open Web Application Security Project suggests that the >>> fix be >>> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader >>> >>> Mitigation: >>> 1.0 users should migrate to 1.0.1. >>> >>> Example: >>> >>> example.jelly >>> -------------- >>> <?xml version="1.0"?> >>> <!--- >>> Licensed to the Apache Software Foundation (ASF) under one or more >>> contributor license agreements. See the NOTICE file distributed with >>> this work for additional information regarding copyright ownership. >>> The ASF licenses this file to You under the Apache License, Version 2.0 >>> (the "License"); you may not use this file except in compliance with >>> the License. You may obtain a copy of the License at >>> http://www.apache.org/licenses/LICENSE-2.0 >>> Unless required by applicable law or agreed to in writing, software >>> distributed under the License is distributed on an "AS IS" BASIS, >>> WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. >>> See the License for the specific language governing permissions and >>> limitations under the License. >>> --> >>> <!DOCTYPE r [ >>> <!ELEMENT r ANY > >>> <!ENTITY sp SYSTEM "http://127.0.0.1:4444/";> >>> ]> >>> <r>&sp;</r> >>> <j:jelly trim="false" xmlns:j="jelly:core" >>> xmlns:x="jelly:xml" >>> xmlns:html="jelly:html"> >>> </j:jelly> >>> -------------- >>> >>> ExampleParser.java >>> ------------------ >>> public class ExampleParser { >>> >>> public static void main(String[] args) throws JellyException, >>> IOException, >>> NoSuchMethodException, >>> IllegalAccessException,IllegalArgumentException, >>> InvocationTargetException { >>> JellyContext context = new JellyContext(); >>> context.runScript("example.jelly", null); >>> } >>> } >>> >>> Credit: >>> This was discovered by Luca Carettoni of Doyensec. >>> >>> References: >>> [1] http://commons.apache.org/jelly/security-reports.html >>> [2] https://issues.apache.org/jira/browse/JELLY-293 >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >>> For additional commands, e-mail: dev-h...@commons.apache.org >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org >> For additional commands, e-mail: dev-h...@commons.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
