Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 513074 (CVE-2014-3004) - dev-java/castor: XML External Entity (XXE) attacks via a crafted XML document (CVE-2014-3004)
Summary: dev-java/castor: XML External Entity (XXE) attacks via a crafted XML document...
Status: RESOLVED FIXED
Alias: CVE-2014-3004
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/fulldisclosure/20...
Whiteboard: B3 [noglsa]
Keywords:
Depends on: 268619
Blocks:
  Show dependency tree
 
Reported: 2014-06-12 21:52 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-11-09 22:07 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-06-12 21:52:25 UTC
It was discovered (${URL}) that the Castor library's unmarshalling class is
susceptible to XML External Entity (XXE) attacks. If the XML that is being passed to the unmarshalling function is controllable by an end user, there is the potential that they could retrieve local resources, download malicious code from other servers, and/or open arbitrary TCP connections.

===========================================================
Recommendation
===========================================================
Upgrade to Castor version 1.3.3 which now disables external entities by
default.

Alternatively, the manual fix for this issue is actually very simple.  The
main Castor configuration file (castor.properties) can be used to specify
which XML features should be enable/disabled.  In order to prevent the
parser from reading external entities , the external-general-entities and
the external-parameter-entities should be disable.  Additionally, the
disallow-doctype-decl option should be turned on.  The following is what
the entry in the caster.properties file should look like:
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2014-08-10 14:15:57 UTC
CVE-2014-3004 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3004):
  The default configuration for the Xerces SAX Parser in Castor before 1.3.3
  allows context-dependent attackers to conduct XML External Entity (XXE)
  attacks via a crafted XML document.
Comment 2 Patrice Clement gentoo-dev 2015-10-29 13:13:50 UTC
This package has been masked for removal. See bug 268619. We will close this bug after the removal.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-29 13:56:49 UTC
GLSA Vote: No
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:07:37 UTC
Vote: NO.