| Summary: |
dev-java/castor: XML External Entity (XXE) attacks via a crafted XML document (CVE-2014-3004) |
| Product: |
Gentoo Security
|
Reporter: |
Kristian Fiskerstrand (RETIRED) <k_f> |
| Component: |
Vulnerabilities | Assignee: |
Gentoo Security <security> |
| Status: |
RESOLVED
FIXED
|
|
|
| Severity: |
minor
|
CC: |
java
|
| Priority: |
Normal
|
|
|
| Version: |
unspecified | |
|
| Hardware: |
All | |
|
| OS: |
Linux | |
|
| URL: |
http://seclists.org/fulldisclosure/2014/May/142
|
| Whiteboard: |
B3 [noglsa] |
|
Package list:
|
|
Runtime testing required:
|
---
|
|---|
| Bug Depends on: |
268619
|
|
|
| Bug Blocks: |
|
|
|
It was discovered (${URL}) that the Castor library's unmarshalling class is susceptible to XML External Entity (XXE) attacks. If the XML that is being passed to the unmarshalling function is controllable by an end user, there is the potential that they could retrieve local resources, download malicious code from other servers, and/or open arbitrary TCP connections. =========================================================== Recommendation =========================================================== Upgrade to Castor version 1.3.3 which now disables external entities by default. Alternatively, the manual fix for this issue is actually very simple. The main Castor configuration file (castor.properties) can be used to specify which XML features should be enable/disabled. In order to prevent the parser from reading external entities , the external-general-entities and the external-parameter-entities should be disable. Additionally, the disallow-doctype-decl option should be turned on. The following is what the entry in the caster.properties file should look like: