You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@accumulo.apache.org by "Josh Elser (JIRA)" <ji...@apache.org> on 2016/12/09 03:47:58 UTC

[jira] [Updated] (ACCUMULO-4534) Remove XML external entity issue in RestoreZooKeeper

     [ https://issues.apache.org/jira/browse/ACCUMULO-4534?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josh Elser updated ACCUMULO-4534:
---------------------------------
    Status: Patch Available  (was: Open)

[~ctubbsii], maybe you have time to take a quick peek?

> Remove XML external entity issue in RestoreZooKeeper
> ----------------------------------------------------
>
>                 Key: ACCUMULO-4534
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-4534
>             Project: Accumulo
>          Issue Type: Bug
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>             Fix For: 1.7.3, 1.8.1, 2.0.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> There appears to be an issue in RestoreZooKeeper in which the tool may, with specially crafted XML, load external files on the system. I'm not going the normal vulnerability route with this because the command is executed by a user on an XML file they provide (so, the vector is that you attacked yourself out of ignorance).
> However, it would still be good to remove this as a possibility since it's very simple. This was found by a static analysis tool.
> For more info, https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet is a good writeup.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)