CVE-2014-0054 Spring MVC Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)

2014-05-05T00:00:00
ID SECURITYVULNS:DOC:30643
Type securityvulns
Reporter Securityvulns
Modified 2014-05-05T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

CVE-2014-0054 Incomplete fix for CVE-2013-4152 / CVE-2013-6429 (XXE)

Severity: Important

Vendor: Spring by Pivotal

Versions Affected: - - Spring MVC 3.0.0 to 3.2.8 - - Spring MVC 4.0.0 to 4.0.1 - - Earlier unsupported versions may be affected

Description: Spring MVC's Jaxb2RootElementHttpMessageConverter also processed user provided XML and neither disabled XML external entities nor provided an option to disable them. Jaxb2RootElementHttpMessageConverter has been modified to provide an option to control the processing of XML external entities and that processing is now disabled by default.

Mitigation: Users of affected versions should apply the following mitigation: - - Users of 3.x should upgrade to 3.2.8 or later - - Users of 4.x should upgrade to 4.0.2 or later

Credit: This issue was reported to the Spring Framework developers by Spase Markovski.

References: http://www.gopivotal.com/security/cve-2014-0054 https://jira.springsource.org/browse/SPR-11376 https://github.com/spring-projects/spring-framework/commit/edba32b3093703d5e9ed42b5b8ec23ecc1998398#diff-1f3f1d5cdab9ac92d1ca5ec7def8f131

History: 2014-Mar-11: Initial vulnerability report published. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) - WinPT 1.2.0

iQIcBAEBAgAGBQJTH4LYAAoJEKSZXFdK82XaOD4P/RQEwgJaQxHpx+WG1z0dvf5K DuG+p/O+E0zruuTdVZMTdg+i+o3PSBQ/8xjnAJw0S8DeLAClZPC8h/bHr4C1Hy2A Fd9UIQF0Tuci4nUpaBkYjMsq/DIznhMCI3Md0dclYNj/X9j+mocFiRzhFDI4/2yx kfN62ks9DMe9YZhc3jqzB01MLnqmx2zVXRX7t1YUrcUpdvgz0m2Cp/xoU4urAf7G Jggiggc4z9iGJ9B4fbvhJ10jLeNjCf0xI+s612Uq4wQC/+5sZDwaE9BaIiBBS/bI 60nePuGzuGlcXlERPSiswO4U7evBXLJAHWsReMjJODf0+j+LheRUdeqBDGx+MlQ2 1Nz6L/EzYfX3AEm0rLhE1Y51oV2BfkIT5zT0aCb1xZY5Ujwqv1q6S+bTK0M8HrKv YYkKvXlAHmBW9t0Yk/ONaXT/b843Y/UJD2Zqd0272y2KmewDmAT7A1b8r8b1Yj5W 2Aw/6/2qVgnWLfgBiY0i+9//POnrmp8wDERVAAix/ePk/Mh+KBZAXThzMy77Vm1R miFXUCo92y0vAQijavn5lO5rhSuKX0205V61ivY6JLPeVqDxdXi6eptXSZuKe3e7 0XyHieN5zZ6nH+UkKSdUFhMSiGx6fQ0YDQm/4wfj5AqJ8ib1lrj/n4zxhTGTJpfy KyU96xGT6ig9EuA3Sc+E =N/VV -----END PGP SIGNATURE-----