Debian: DSA-2842-1 Critical: libspring-java DoS Due To XXE Injection
debian
January 13, 2014
Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites
Topics Covered
Summary
Alvaro Munoz discovered a XML External Entity (XXE) injection in the
Spring Framework which can be used for conducting CSRF and DoS attacks
on other sites.
The Spring OXM wrapper did not expose any property for disabling entity
resolution when using the JAXB unmarshaller. There are four possible
source implementations passed to the unmarshaller:
DOMSource
StAXSource
SAXSource
StreamSource
For a DOMSource, the XML has already been parsed by user code
and that code is responsible for protecting against XXE.
For a StAXSource, the XMLStreamReader has already been created
by user code and that code is responsible for protecting
against XXE.
For SAXSource and StreamSource instances, Spring processed
external entities by default thereby creating this
vulnerability.
The issue was resolved by disabling external entity processing
by default and adding an option to enable it for those usersthat need to use this feature when processing XML from a
trusted source.
It was also identified that Spring MVC processed u...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: libspring-java
CVE ID: CVE-2013-4152
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!