[<prev] [next>] [day] [month] [year] [list]
Message-Id: <bedb9e24-8d2b-4354-b6ca-6ab4abe53c54@gopivotal.com>
Date: Tue, 11 Mar 2014 14:41:18 -0700 (PDT)
From: Pivotal Security Team <security@...ivotal.com>
To: security@...ivotal.com
Cc: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: CVE-2014-0054 Spring MVC Incomplete fix for
CVE-2013-4152 / CVE-2013-6429 (XXE)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)
Severity: Important
Vendor: Spring by Pivotal
Versions Affected:
- - Spring MVC 3.0.0 to 3.2.8
- - Spring MVC 4.0.0 to 4.0.1
- - Earlier unsupported versions may be affected
Description:
Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided
XML and neither disabled XML external entities nor provided an option to disable
them. Jaxb2RootElementHttpMessageConverter has been modified to provide an
option to control the processing of XML external entities and that processing is
now disabled by default.
Mitigation:
Users of affected versions should apply the following mitigation:
- - Users of 3.x should upgrade to 3.2.8 or later
- - Users of 4.x should upgrade to 4.0.2 or later
Credit:
This issue was reported to the Spring Framework developers by Spase Markovski.
References:
http://www.gopivotal.com/security/cve-2014-0054
https://jira.springsource.org/browse/SPR-11376
https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398#diff-1f3f1d5cdab9ac92d1ca5ec7def8f131
History:
2014-Mar-11: Initial vulnerability report published.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0
iQIcBAEBAgAGBQJTH4LYAAoJEKSZXFdK82XaOD4P/RQEwgJaQxHpx+WG1z0dvf5K
DuG+p/O+E0zruuTdVZMTdg+i+o3PSBQ/8xjnAJw0S8DeLAClZPC8h/bHr4C1Hy2A
Fd9UIQF0Tuci4nUpaBkYjMsq/DIznhMCI3Md0dclYNj/X9j+mocFiRzhFDI4/2yx
kfN62ks9DMe9YZhc3jqzB01MLnqmx2zVXRX7t1YUrcUpdvgz0m2Cp/xoU4urAf7G
Jggiggc4z9iGJ9B4fbvhJ10jLeNjCf0xI+s612Uq4wQC/+5sZDwaE9BaIiBBS/bI
60nePuGzuGlcXlERPSiswO4U7evBXLJAHWsReMjJODf0+j+LheRUdeqBDGx+MlQ2
1Nz6L/EzYfX3AEm0rLhE1Y51oV2BfkIT5zT0aCb1xZY5Ujwqv1q6S+bTK0M8HrKv
YYkKvXlAHmBW9t0Yk/ONaXT/b843Y/UJD2Zqd0272y2KmewDmAT7A1b8r8b1Yj5W
2Aw/6/2qVgnWLfgBiY0i+9//POnrmp8wDERVAAix/ePk/Mh+KBZAXThzMy77Vm1R
miFXUCo92y0vAQijavn5lO5rhSuKX0205V61ivY6JLPeVqDxdXi6eptXSZuKe3e7
0XyHieN5zZ6nH+UkKSdUFhMSiGx6fQ0YDQm/4wfj5AqJ8ib1lrj/n4zxhTGTJpfy
KyU96xGT6ig9EuA3Sc+E
=N/VV
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists