Executive Summary
Summary | |
---|---|
Title | libspring-java security update |
Informations | |||
---|---|---|---|
Name | DSA-2842 | First vendor Publication | 2014-01-13 |
Vendor | Debian | Last vendor Modification | 2014-01-13 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Network |
Cvss Impact Score | 6.4 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: DOMSource StAXSource SAXSource StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. For the stable distribution (wheezy), this problem has been fixed in version 3.0.6.RELEASE-6+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.0.6.RELEASE-10. We recommend that you upgrade your libspring-java packages. |
Original Source
Url : http://www.debian.org/security/2014/dsa-2842 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:22246 | |||
Oval ID: | oval:org.mitre.oval:def:22246 | ||
Title: | DSA-2857-1 libspring-java - several | ||
Description: | It was discovered by the Spring development team that the fix for the XML External Entity (XXE) Injection(<a href="http://security-tracker.debian.org/tracker/CVE-2013-4152">CVE-2013-4152</a>) in the Spring Framework was incomplete. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2857-1 CVE-2013-6429 CVE-2013-6430 CVE-2013-4152 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | libspring-java |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22298 | |||
Oval ID: | oval:org.mitre.oval:def:22298 | ||
Title: | DSA-2842-1 libspring-java - several | ||
Description: | Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2842-1 CVE-2013-4152 | Version: | 5 |
Platform(s): | Debian GNU/Linux 7 Debian GNU/kFreeBSD 7 | Product(s): | libspring-java |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | XML entity parsing information disclosure attempt RuleID : 24339 - Revision : 14 - Type : SERVER-WEBAPP |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2014-02-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2857.nasl - Type : ACT_GATHER_INFO |
2014-01-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2842.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:32:29 |
|
2014-01-24 21:24:58 |
|
2014-01-24 13:22:46 |
|
2014-01-13 17:19:08 |
|