Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-6959

Update XStream lib to prevent XML External Entity (XXE) Processing

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 12.04, Release Branch 13.07, Release Branch 14.12, Trunk, Release Branch 15.12
    • Fix Version/s: 14.12.01, 12.04.06, 13.07.03, 15.12.01
    • Component/s: framework
    • Labels:
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      The XStream team has released the 1.4.9 stable version in March 15, 2016

      This version fixes the XML External Entity (XXE) Processing security issue

      Since OFBiz uses the DomDriver, with Java 6 at least in supported releases, OFBiz seems not really vulnerable, but better to be safe than sorry, notably for not OOTB uses...

      OWASP Dependency Check did not report this vulnerability. I will report to them.

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Fixed in
        trunk r1736434
        R15.12 r1736435
        R14.12 r1736436
        R13.07 r1736437
        R12.04 r1736438

        Show
        jacques.le.roux Jacques Le Roux added a comment - Fixed in trunk r1736434 R15.12 r1736435 R14.12 r1736436 R13.07 r1736437 R12.04 r1736438
        Hide
        jacques.le.roux Jacques Le Roux added a comment - - edited

        BTW for those interested here is a good reference on this subject http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html

        Show
        jacques.le.roux Jacques Le Roux added a comment - - edited BTW for those interested here is a good reference on this subject http://blog.diniscruz.com/2013/12/xstream-remote-code-execution-exploit.html
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        In the description I wrote that

        OWASP Dependency Check did not report this vulnerability. I will report to them.
        

        I was a bit ahead, the CVE has not been yet created http://www.openwall.com/lists/oss-security/2016/03/25/8

        Show
        jacques.le.roux Jacques Le Roux added a comment - In the description I wrote that OWASP Dependency Check did not report this vulnerability. I will report to them. I was a bit ahead, the CVE has not been yet created http://www.openwall.com/lists/oss-security/2016/03/25/8

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            jacques.le.roux Jacques Le Roux
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile