+1 Amazing work Rob! Kudos! Bruno Sent from Yahoo Mail on Android On Thu, 28 Sep 2017 at 0:29, Benedikt Ritter<brit...@apache.org> wrote: I would like to give kudos to Rob for handling this issue. The kind of dedication you put into fixing this issue and releasing a component that has not been touched for ages is what I’m looking for in PMC members.
Great work! Benedikt > Am 27.09.2017 um 15:05 schrieb Rob Tompkins <chtom...@apache.org>: > > CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype > definitions. > > Severity: Medium > > Vendor: > The Apache Software Foundation > > Versions Affected: > commons-jelly-1.0 (core), namely commons-jelly-1.0.jar > > Description: > During Jelly (xml) file parsing with Apache Xerces, if a custom doctype > entity is declared with a “SYSTEM” entity with a URL and that entity is used > in the body of the Jelly file, during parser instantiation the parser will > attempt to connect to said URL. This could lead to XML External Entity (XXE) > attacks. The Open Web Application Security Project suggests that the fix be > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader > > Mitigation: > 1.0 users should migrate to 1.0.1. > > Example: > > example.jelly > -------------- > <?xml version="1.0"?> > <!--- > Licensed to the Apache Software Foundation (ASF) under one or more > contributor license agreements. See the NOTICE file distributed with > this work for additional information regarding copyright ownership. > The ASF licenses this file to You under the Apache License, Version 2.0 > (the "License"); you may not use this file except in compliance with > the License. You may obtain a copy of the License at > http://www.apache.org/licenses/LICENSE-2.0 > Unless required by applicable law or agreed to in writing, software > distributed under the License is distributed on an "AS IS" BASIS, > WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > See the License for the specific language governing permissions and > limitations under the License. > --> > <!DOCTYPE r [ > <!ELEMENT r ANY > > <!ENTITY sp SYSTEM "http://127.0.0.1:4444/"> > ]> > <r>&sp;</r> > <j:jelly trim="false" xmlns:j="jelly:core" > xmlns:x="jelly:xml" > xmlns:html="jelly:html"> > </j:jelly> > -------------- > > ExampleParser.java > ------------------ > public class ExampleParser { > > public static void main(String[] args) throws JellyException, > IOException, > NoSuchMethodException, > IllegalAccessException,IllegalArgumentException, > InvocationTargetException { > JellyContext context = new JellyContext(); > context.runScript("example.jelly", null); > } > } > > Credit: > This was discovered by Luca Carettoni of Doyensec. > > References: > [1] http://commons.apache.org/jelly/security-reports.html > [2] https://issues.apache.org/jira/browse/JELLY-293 > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org