You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@qpid.apache.org by "Gordon Sim (JIRA)" <ji...@apache.org> on 2014/11/07 19:25:35 UTC

[jira] [Resolved] (QPID-6218) xml exchange can be induced to make http requests

     [ https://issues.apache.org/jira/browse/QPID-6218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gordon Sim resolved QPID-6218.
------------------------------
    Resolution: Fixed

> xml exchange can be induced to make http requests
> -------------------------------------------------
>
>                 Key: QPID-6218
>                 URL: https://issues.apache.org/jira/browse/QPID-6218
>             Project: Qpid
>          Issue Type: Bug
>          Components: C++ Broker
>    Affects Versions: 0.30
>            Reporter: Gordon Sim
>            Assignee: Gordon Sim
>             Fix For: 0.31
>
>         Attachments: QPID-6218.patch
>
>
> CVE-2014-3629  CVS: 3
> Severity: Low
> Vendor:
> The Apache Software Foundation
> Versions Affected:
> Apache Qpid's qpidd up to and including version
> 0.30, where xml exchange module is loaded
> Description:
> The XML exchange type is an optional, dynamically loaded module for
> qpidd that allows creation of exchanges that route messages based on
> evaluating an xquery expression against them.
> On parsing a message sent to an XML exchange, whose body is XML
> containing a link to a DTD, the broker process will attempt to
> retrieve the referenced resource(s). I.e. the broker process may be
> induced to make outgoing HTTP connections by publishing a message
> containing links to an XML exchange.
> Solution:
> A patch is available that prevents any retrieval of
> external entities referenced in the XML. This will be included in
> subsequent releases, but can be applied to 0.30 if desired. [Details
> of patch and commit revision to be added]
> Common Vulnerability Score information:
> If the XML exchange functionality is not required, the module in
> question need not be loaded at all. This can be done either by moving
> the module - named xml.so - out of the module directory, or by setting
> the --no-module-dir option and adding an explicit --load-module
> argument for every required module.
> Where the XML exchange functionality is required, authorisation may be
> enabled to prevent all but trusted users from creating or publishning
> to xml exchanges.
> Credit:
> This issue was discovered by G. Geshev from MWR Labs
> Common Vulnerability Score information:
> CVSS Base Score                   3.5
> Impact Subscore                   2.9
> Exploitability Subscore           6.8
> CVSS Temporal Score               3
> CVSS Environmental Score          Not Defined
> Modified Impact Subscore          Not Defined
> Overall CVSS Score                3



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org