Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2015-0263 (GCVE-0-2015-0263)
Vulnerability from cvelistv5
Published
2015-06-03 20:00
Modified
2024-08-06 04:03
Severity ?
EPSS score ?
Summary
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T04:03:10.681Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "RHSA-2015:1539", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { name: "RHSA-2015:1041", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { name: "RHSA-2015:1538", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { name: "1032442", tags: [ "vdb-entry", "x_refsource_SECTRACK", "x_transferred", ], url: "http://www.securitytracker.com/id/1032442", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", "x_transferred", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2015-03-02T00:00:00", descriptions: [ { lang: "en", value: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2019-05-24T10:06:04", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "RHSA-2015:1539", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { name: "RHSA-2015:1041", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { name: "RHSA-2015:1538", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { name: "1032442", tags: [ "vdb-entry", "x_refsource_SECTRACK", ], url: "http://www.securitytracker.com/id/1032442", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", tags: [ "mailing-list", "x_refsource_MLIST", ], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-0263", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2015:1539", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { name: "RHSA-2015:1041", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { name: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", refsource: "CONFIRM", url: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { name: "RHSA-2015:1538", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { name: "1032442", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1032442", }, { name: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", refsource: "CONFIRM", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2015-0263", datePublished: "2015-06-03T20:00:00", dateReserved: "2014-11-18T00:00:00", dateUpdated: "2024-08-06T04:03:10.681Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"2.13.3\", \"matchCriteriaId\": \"3E65DC32-33D4-46FB-97AD-0ACF0DDF6E00\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BF8F319C-1212-4787-A1E8-15D576527EF2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"17E12D85-196F-4723-A4EC-7DC900087AC5\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a trav\\u00e9s de una entidad externa en una SAXSource.\"}]", evaluatorComment: "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", id: "CVE-2015-0263", lastModified: "2024-11-21T02:22:40.893", metrics: "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2015-06-03T20:59:02.917", references: "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1041.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1538.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1539.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id/1032442\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1041.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1538.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2015-1539.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id/1032442\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2015-0263\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2015-06-03T20:59:02.917\",\"lastModified\":\"2025-04-12T10:46:40.837\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en una SAXSource.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.13.3\",\"matchCriteriaId\":\"3E65DC32-33D4-46FB-97AD-0ACF0DDF6E00\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF8F319C-1212-4787-A1E8-15D576527EF2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"17E12D85-196F-4723-A4EC-7DC900087AC5\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1041.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1538.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1539.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id/1032442\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1538.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2015-1539.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id/1032442\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}],\"evaluatorComment\":\"<a href=\\\"http://cwe.mitre.org/data/definitions/611.html\\\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>\"}}", }, }
RHSA-2015:1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1041", url: "https://access.redhat.com/errata/RHSA-2015:1041", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update", tracking: { current_release_date: "2024-11-22T09:21:36+00:00", generator: { date: "2024-11-22T09:21:36+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1041", initial_release_date: "2015-06-01T17:08:08+00:00", revision_history: [ { date: "2015-06-01T17:08:08+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:36+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
RHSA-2015:1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1538", url: "https://access.redhat.com/errata/RHSA-2015:1538", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:41+00:00", generator: { date: "2024-11-22T09:21:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1538", initial_release_date: "2015-08-03T19:41:41+00:00", revision_history: [ { date: "2015-08-03T19:41:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:36:20+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.0", product: { name: "Red Hat JBoss BRMS 6.0", product_id: "Red Hat JBoss BRMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_brms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
rhsa-2015_1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1041", url: "https://access.redhat.com/errata/RHSA-2015:1041", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update", tracking: { current_release_date: "2024-11-22T09:21:36+00:00", generator: { date: "2024-11-22T09:21:36+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1041", initial_release_date: "2015-06-01T17:08:08+00:00", revision_history: [ { date: "2015-06-01T17:08:08+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:36+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
RHSA-2015:2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2025-04-09 15:47
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:2558", url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update", tracking: { current_release_date: "2025-04-09T15:47:54+00:00", generator: { date: "2025-04-09T15:47:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2015:2558", initial_release_date: "2015-12-07T20:46:48+00:00", revision_history: [ { date: "2015-12-07T20:46:48+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:47:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse Service Works 6.2", product: { name: "Red Hat JBoss Fuse Service Works 6.2", product_id: "Red Hat JBoss Fuse Service Works 6.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse_service_works:6.2", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse Service Works", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { cve: "CVE-2015-3253", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2015-07-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1243934", }, ], notes: [ { category: "description", text: "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.", title: "Vulnerability description", }, { category: "summary", text: "groovy: remote execution of untrusted code in class MethodClosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3253", }, { category: "external", summary: "RHBZ#1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3253", url: "https://www.cve.org/CVERecord?id=CVE-2015-3253", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", }, { category: "external", summary: "http://seclists.org/oss-sec/2015/q3/121", url: "http://seclists.org/oss-sec/2015/q3/121", }, ], release_date: "2015-07-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "workaround", details: "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "groovy: remote execution of untrusted code in class MethodClosure", }, ], }
rhsa-2015_1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1539", url: "https://access.redhat.com/errata/RHSA-2015:1539", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:46+00:00", generator: { date: "2024-11-22T09:21:46+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1539", initial_release_date: "2015-08-03T19:41:04+00:00", revision_history: [ { date: "2015-08-03T19:41:04+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:41+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:46+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.0", product: { name: "Red Hat JBoss BPMS 6.0", product_id: "Red Hat JBoss BPMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { acknowledgments: [ { names: [ "David Jorm", ], organization: "IIX Product Security", }, ], cve: "CVE-2015-1818", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1201714", }, ], notes: [ { category: "description", text: "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.", title: "Vulnerability description", }, { category: "summary", text: "dashbuilder: XXE/SSRF vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-1818", }, { category: "external", summary: "RHBZ#1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-1818", url: "https://www.cve.org/CVERecord?id=CVE-2015-1818", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", }, ], release_date: "2015-03-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dashbuilder: XXE/SSRF vulnerability", }, ], }
rhsa-2015:1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1539", url: "https://access.redhat.com/errata/RHSA-2015:1539", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:46+00:00", generator: { date: "2024-11-22T09:21:46+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1539", initial_release_date: "2015-08-03T19:41:04+00:00", revision_history: [ { date: "2015-08-03T19:41:04+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:41+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:46+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.0", product: { name: "Red Hat JBoss BPMS 6.0", product_id: "Red Hat JBoss BPMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { acknowledgments: [ { names: [ "David Jorm", ], organization: "IIX Product Security", }, ], cve: "CVE-2015-1818", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1201714", }, ], notes: [ { category: "description", text: "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.", title: "Vulnerability description", }, { category: "summary", text: "dashbuilder: XXE/SSRF vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-1818", }, { category: "external", summary: "RHBZ#1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-1818", url: "https://www.cve.org/CVERecord?id=CVE-2015-1818", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", }, ], release_date: "2015-03-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dashbuilder: XXE/SSRF vulnerability", }, ], }
rhsa-2015:1041
Vulnerability from csaf_redhat
Published
2015-06-01 17:08
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update
Notes
Topic
Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which
fixes two security issues, several bugs, and adds various enhancements, is
now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,
flexible, open source enterprise service bus and integration platform.
Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant
messaging system that is tailored for use in mission critical applications.
This patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ
6.1.0. It includes several bug fixes, which are documented in the
readme.txt file included with the patch files. The following security
issues are addressed in this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
Refer to the readme.txt file included with the patch files for
installation instructions.
All users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as
provided from the Red Hat Customer Portal are advised to apply this update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse and A-MQ 6.1.0 Patch 4 on Rollup Patch 2 (R2P4), which\nfixes two security issues, several bugs, and adds various enhancements, is\nnow available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint,\nflexible, open source enterprise service bus and integration platform.\nRed Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant\nmessaging system that is tailored for use in mission critical applications.\n\nThis patch is an update to Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ\n6.1.0. It includes several bug fixes, which are documented in the\nreadme.txt file included with the patch files. The following security\nissues are addressed in this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nRefer to the readme.txt file included with the patch files for\ninstallation instructions.\n\nAll users of Red Hat JBoss Fuse 6.1.0 and Red Hat JBoss A-MQ 6.1.0 as\nprovided from the Red Hat Customer Portal are advised to apply this update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1041", url: "https://access.redhat.com/errata/RHSA-2015:1041", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1041.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse/A-MQ 6.1.0 update", tracking: { current_release_date: "2024-11-22T09:21:36+00:00", generator: { date: "2024-11-22T09:21:36+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1041", initial_release_date: "2015-06-01T17:08:08+00:00", revision_history: [ { date: "2015-06-01T17:08:08+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:36+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss A-MQ 6.1", product: { name: "Red Hat JBoss A-MQ 6.1", product_id: "Red Hat JBoss A-MQ 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_amq:6.1.0", }, }, }, { category: "product_name", name: "Red Hat JBoss Fuse 6.1", product: { name: "Red Hat JBoss Fuse 6.1", product_id: "Red Hat JBoss Fuse 6.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse:6.1.0", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-06-01T17:08:08+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update).", product_ids: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1041", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss A-MQ 6.1", "Red Hat JBoss Fuse 6.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
rhsa-2015:1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1538", url: "https://access.redhat.com/errata/RHSA-2015:1538", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:41+00:00", generator: { date: "2024-11-22T09:21:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1538", initial_release_date: "2015-08-03T19:41:41+00:00", revision_history: [ { date: "2015-08-03T19:41:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:36:20+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.0", product: { name: "Red Hat JBoss BRMS 6.0", product_id: "Red Hat JBoss BRMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_brms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
rhsa-2015_1538
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update
Notes
Topic
Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,
and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BRMS is a business rules management system for the
management, storage, creation, modification, and deployment of JBoss Rules.
This release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red
Hat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are
documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer
Portal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BRMS 6.1.2, which fixes two security issues, several bugs,\nand adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BRMS is a business rules management system for the\nmanagement, storage, creation, modification, and deployment of JBoss Rules.\n\nThis release of Red Hat JBoss BRMS 6.1.2 serves as a replacement for Red\nHat JBoss BRMS 6.1.0, and includes bug fixes and enhancements, which are\ndocumented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss BRMS 6.1.0 as provided from the Red Hat Customer\nPortal are advised to upgrade to Red Hat JBoss BRMS 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1538", url: "https://access.redhat.com/errata/RHSA-2015:1538", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1538.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BRMS 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:41+00:00", generator: { date: "2024-11-22T09:21:41+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1538", initial_release_date: "2015-08-03T19:41:41+00:00", revision_history: [ { date: "2015-08-03T19:41:41+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:36:20+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:41+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BRMS 6.0", product: { name: "Red Hat JBoss BRMS 6.0", product_id: "Red Hat JBoss BRMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_brms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Decision Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BRMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:41+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing the\nupdate, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BRMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1538", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BRMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, ], }
rhsa-2015:2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2025-04-09 15:47
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:2558", url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update", tracking: { current_release_date: "2025-04-09T15:47:54+00:00", generator: { date: "2025-04-09T15:47:54+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.2", }, }, id: "RHSA-2015:2558", initial_release_date: "2015-12-07T20:46:48+00:00", revision_history: [ { date: "2015-12-07T20:46:48+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:27+00:00", number: "2", summary: "Last updated version", }, { date: "2025-04-09T15:47:54+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse Service Works 6.2", product: { name: "Red Hat JBoss Fuse Service Works 6.2", product_id: "Red Hat JBoss Fuse Service Works 6.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse_service_works:6.2", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse Service Works", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { cve: "CVE-2015-3253", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2015-07-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1243934", }, ], notes: [ { category: "description", text: "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.", title: "Vulnerability description", }, { category: "summary", text: "groovy: remote execution of untrusted code in class MethodClosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3253", }, { category: "external", summary: "RHBZ#1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3253", url: "https://www.cve.org/CVERecord?id=CVE-2015-3253", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", }, { category: "external", summary: "http://seclists.org/oss-sec/2015/q3/121", url: "http://seclists.org/oss-sec/2015/q3/121", }, ], release_date: "2015-07-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "workaround", details: "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "groovy: remote execution of untrusted code in class MethodClosure", }, ], }
rhsa-2015_2558
Vulnerability from csaf_redhat
Published
2015-12-07 20:46
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update
Notes
Topic
Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues
and various bugs, is now available from the Red Hat Customer Portal.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss Fuse Service Works is the next-generation ESB and business
process automation infrastructure.
This release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a
replacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various
bug fixes, which are listed in the README file included with the patch
files.
The following security issues are fixed with this release:
A flaw was discovered that when an application uses Groovy (has it on the
classpath) and uses the standard Java serialization mechanism, an attacker
can bake a special serialized object that executes code directly when
deserialized. All applications which rely on serialization and do not
isolate the code which deserializes objects are subject to this
vulnerability. (CVE-2015-3253)
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
All users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the
Red Hat Customer Portal are advised to apply this security update.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss Fuse Service Works 6.2.1, which fixes three security issues\nand various bugs, is now available from the Red Hat Customer Portal.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Fuse Service Works is the next-generation ESB and business\nprocess automation infrastructure.\n\nThis release of Red Hat JBoss Fuse Service Works 6.2.1 serves as a\nreplacement for Red Hat JBoss Fuse Service Works 6.0.0. It includes various\nbug fixes, which are listed in the README file included with the patch\nfiles.\n\nThe following security issues are fixed with this release:\n\nA flaw was discovered that when an application uses Groovy (has it on the\nclasspath) and uses the standard Java serialization mechanism, an attacker\ncan bake a special serialized object that executes code directly when\ndeserialized. All applications which rely on serialization and do not\nisolate the code which deserializes objects are subject to this\nvulnerability. (CVE-2015-3253)\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nAll users of Red Hat JBoss Fuse Service Works 6.0.0 as provided from the\nRed Hat Customer Portal are advised to apply this security update.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:2558", url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=distributions&version=6.2.1", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_2558.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Fuse Service Works 6.2.1 update", tracking: { current_release_date: "2024-11-22T09:21:53+00:00", generator: { date: "2024-11-22T09:21:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:2558", initial_release_date: "2015-12-07T20:46:48+00:00", revision_history: [ { date: "2015-12-07T20:46:48+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:38:27+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Fuse Service Works 6.2", product: { name: "Red Hat JBoss Fuse Service Works 6.2", product_id: "Red Hat JBoss Fuse Service Works 6.2", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_fuse_service_works:6.2", }, }, }, ], category: "product_family", name: "Red Hat JBoss Fuse Service Works", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { cve: "CVE-2015-3253", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2015-07-16T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1243934", }, ], notes: [ { category: "description", text: "A flaw was discovered in the way applications using Groovy used the standard Java serialization mechanism. A remote attacker could use a specially crafted serialized object that would execute code directly when deserialized. All applications which rely on serialization and do not isolate the code which deserializes objects are subject to this vulnerability.", title: "Vulnerability description", }, { category: "summary", text: "groovy: remote execution of untrusted code in class MethodClosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-3253", }, { category: "external", summary: "RHBZ#1243934", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1243934", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-3253", url: "https://www.cve.org/CVERecord?id=CVE-2015-3253", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-3253", }, { category: "external", summary: "http://seclists.org/oss-sec/2015/q3/121", url: "http://seclists.org/oss-sec/2015/q3/121", }, ], release_date: "2015-07-16T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-12-07T20:46:48+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the updates). Before applying the updates, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:2558", }, { category: "workaround", details: "Apply the following patch on the MethodClosure class (src/main/org/codehaus/groovy/runtime/MethodClosure.java):\n\n public class MethodClosure extends Closure {\n + private Object readResolve() {\n + throw new UnsupportedOperationException();\n + \n }\n\nAlternatively, you should make sure to use a custom security policy file (using the standard Java security manager) or make sure that you do not rely on serialization to communicate remotely.", product_ids: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 9.6, baseSeverity: "CRITICAL", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Fuse Service Works 6.2", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "groovy: remote execution of untrusted code in class MethodClosure", }, ], }
RHSA-2015:1539
Vulnerability from csaf_redhat
Published
2015-08-03 19:41
Modified
2024-11-22 09:21
Summary
Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update
Notes
Topic
Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several
bugs, and adds various enhancements, is now available from the Red Hat
Customer Portal.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat JBoss BPM Suite is a business rules and processes management system
for the management, storage, creation, modification, and deployment of
JBoss rules and BPMN2-compliant business processes.
This release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for
Red Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,
which are documented in the README.txt file included with the patch files.
The following security issues are also fixed with this release:
It was found that Apache Camel's XML converter performed XML External
Entity (XXE) expansion. A remote attacker able to submit an SAXSource
containing an XXE declaration could use this flaw to read files accessible
to the user running the application server, and potentially perform other
more advanced XXE attacks. (CVE-2015-0263)
It was found that Apache Camel performed XML External Entity (XXE)
expansion when evaluating invalid XML Strings or invalid XML GenericFile
objects. A remote attacker able to submit a crafted XML message could use
this flaw to read files accessible to the user running the application
server, and potentially perform other more advanced XXE attacks.
(CVE-2015-0264)
A flaw was found in the dashbuilder import facility: the DocumentBuilders
instantiated in org.jboss.dashboard.export.ImportManagerImpl did not
disable external entities. This could allow an attacker to perform a
variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)
attacks. (CVE-2015-1818)
Red Hat would like to thank David Jorm of IIX Product Security for
reporting the CVE-2015-1818 issue.
All users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat
Customer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Moderate", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Red Hat JBoss BPM Suite 6.1.2, which fixes three security issues, several\nbugs, and adds various enhancements, is now available from the Red Hat\nCustomer Portal.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss BPM Suite is a business rules and processes management system\nfor the management, storage, creation, modification, and deployment of\nJBoss rules and BPMN2-compliant business processes.\n\nThis release of Red Hat JBoss BPM Suite 6.1.2 serves as a replacement for\nRed Hat JBoss BPM Suite 6.1.0, and includes bug fixes and enhancements,\nwhich are documented in the README.txt file included with the patch files.\n\nThe following security issues are also fixed with this release:\n\nIt was found that Apache Camel's XML converter performed XML External\nEntity (XXE) expansion. A remote attacker able to submit an SAXSource\ncontaining an XXE declaration could use this flaw to read files accessible\nto the user running the application server, and potentially perform other\nmore advanced XXE attacks. (CVE-2015-0263)\n\nIt was found that Apache Camel performed XML External Entity (XXE)\nexpansion when evaluating invalid XML Strings or invalid XML GenericFile\nobjects. A remote attacker able to submit a crafted XML message could use\nthis flaw to read files accessible to the user running the application\nserver, and potentially perform other more advanced XXE attacks.\n(CVE-2015-0264)\n\nA flaw was found in the dashbuilder import facility: the DocumentBuilders\ninstantiated in org.jboss.dashboard.export.ImportManagerImpl did not\ndisable external entities. This could allow an attacker to perform a\nvariety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF)\nattacks. (CVE-2015-1818)\n\nRed Hat would like to thank David Jorm of IIX Product Security for\nreporting the CVE-2015-1818 issue.\n\nAll users of Red Hat JBoss BPM Suite 6.1.0 as provided from the Red Hat\nCustomer Portal are advised to upgrade to Red Hat JBoss BPM Suite 6.1.2.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2015:1539", url: "https://access.redhat.com/errata/RHSA-2015:1539", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#moderate", url: "https://access.redhat.com/security/updates/classification/#moderate", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.1.0", }, { category: "external", summary: "1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2015/rhsa-2015_1539.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss BPM Suite 6.1.2 update", tracking: { current_release_date: "2024-11-22T09:21:46+00:00", generator: { date: "2024-11-22T09:21:46+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2015:1539", initial_release_date: "2015-08-03T19:41:04+00:00", revision_history: [ { date: "2015-08-03T19:41:04+00:00", number: "1", summary: "Initial version", }, { date: "2019-02-20T12:35:41+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T09:21:46+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss BPMS 6.0", product: { name: "Red Hat JBoss BPMS 6.0", product_id: "Red Hat JBoss BPMS 6.0", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_bpms:6.0", }, }, }, ], category: "product_family", name: "Red Hat Process Automation Manager", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2015-0263", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203344", }, ], notes: [ { category: "description", text: "It was found that Apache Camel's XML converter performed XML External Entity (XXE) expansion. A remote attacker able to submit an SAXSource containing an XXE declaration could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE in via SAXSource expansion", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0263", }, { category: "external", summary: "RHBZ#1203344", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203344", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0263", url: "https://www.cve.org/CVERecord?id=CVE-2015-0263", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE in via SAXSource expansion", }, { cve: "CVE-2015-0264", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-17T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1203341", }, ], notes: [ { category: "description", text: "It was found that Apache Camel performed XML External Entity (XXE) expansion when evaluating invalid XML Strings or invalid XML GenericFile objects. A remote attacker able to submit a crafted XML message could use this flaw to read files accessible to the user running the application server, and potentially perform other more advanced XXE attacks.", title: "Vulnerability description", }, { category: "summary", text: "Camel: XXE via XPath expression evaluation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-0264", }, { category: "external", summary: "RHBZ#1203341", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1203341", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-0264", url: "https://www.cve.org/CVERecord?id=CVE-2015-0264", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0264", }, { category: "external", summary: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0264.txt.asc", }, ], release_date: "2015-03-17T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Camel: XXE via XPath expression evaluation", }, { acknowledgments: [ { names: [ "David Jorm", ], organization: "IIX Product Security", }, ], cve: "CVE-2015-1818", cwe: { id: "CWE-611", name: "Improper Restriction of XML External Entity Reference", }, discovery_date: "2015-03-13T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1201714", }, ], notes: [ { category: "description", text: "A flaw was found in the dashbuilder import facility: the DocumentBuilders instantiated in org.jboss.dashboard.export.ImportManagerImpl did not disable external entities. This could allow an attacker to perform a variety of XML External Entity (XXE) and Server-Side Request Forgery (SSRF) attacks.", title: "Vulnerability description", }, { category: "summary", text: "dashbuilder: XXE/SSRF vulnerability", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss BPMS 6.0", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-1818", }, { category: "external", summary: "RHBZ#1201714", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1201714", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-1818", url: "https://www.cve.org/CVERecord?id=CVE-2015-1818", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-1818", }, ], release_date: "2015-03-13T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2015-08-03T19:41:04+00:00", details: "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up your\nexisting installation, including all applications, configuration files,\ndatabases and database settings, and so on.\n\nIt is recommended to halt the server by stopping the JBoss Application\nServer process before installing this update, and then after installing\nthe update, restart the server by starting the JBoss Application Server\nprocess.", product_ids: [ "Red Hat JBoss BPMS 6.0", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2015:1539", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, products: [ "Red Hat JBoss BPMS 6.0", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "dashbuilder: XXE/SSRF vulnerability", }, ], }
gsd-2015-0263
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
Aliases
Aliases
{ GSD: { alias: "CVE-2015-0263", description: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", id: "GSD-2015-0263", references: [ "https://access.redhat.com/errata/RHSA-2015:2558", "https://access.redhat.com/errata/RHSA-2015:1539", "https://access.redhat.com/errata/RHSA-2015:1538", "https://access.redhat.com/errata/RHSA-2015:1041", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2015-0263", ], details: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", id: "GSD-2015-0263", modified: "2023-12-13T01:19:58.807653Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-0263", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2015:1539", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { name: "RHSA-2015:1041", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { name: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", refsource: "CONFIRM", url: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { name: "RHSA-2015:1538", refsource: "REDHAT", url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { name: "1032442", refsource: "SECTRACK", url: "http://www.securitytracker.com/id/1032442", }, { name: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", refsource: "CONFIRM", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, "gitlab.com": { advisories: [ { affected_range: "(,2.13.3],[2.14-alpha0,2.14.1]", affected_versions: "All versions up to 2.13.3, all versions starting from 2.14-alpha0 up to 2.14.1", cvss_v2: "AV:N/AC:L/Au:N/C:P/I:N/A:N", cwe_ids: [ "CWE-1035", "CWE-937", ], date: "2019-05-24", description: "XML external entity (XXE) vulnerability in the XML converter setup in `converter/jaxp/XmlConverter.java` in this package allows remote attackers to read arbitrary files via an external entity in an SAXSource.", fixed_versions: [ "2.13.4", "2.14.2", ], identifier: "CVE-2015-0263", identifiers: [ "CVE-2015-0263", ], not_impacted: "All versions after 2.13.3 before 2.14-alpha0, all versions after 2.14.1", package_slug: "maven/org.apache.camel/camel-core", pubdate: "2015-06-03", solution: "Upgrade to versions 2.13.4, 2.14.2 or above.", title: "XXE in Apache Camel", urls: [ "http://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc?version=1&modificationDate=1426539178000&api=v2", "http://camel.apache.org/security-advisories.html", "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0263", ], uuid: "0a117f5b-7287-4bf0-a483-5b062dcbadc6", }, ], }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, { cpe23Uri: "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", cpe_name: [], versionEndIncluding: "2.13.3", vulnerable: true, }, ], operator: "OR", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2015-0263", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], }, ], }, references: { reference_data: [ { name: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", refsource: "CONFIRM", tags: [ "Vendor Advisory", ], url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { name: "1032442", refsource: "SECTRACK", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1032442", }, { name: "RHSA-2015:1041", refsource: "REDHAT", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { name: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", refsource: "CONFIRM", tags: [ "Patch", ], url: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { name: "RHSA-2015:1538", refsource: "REDHAT", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { name: "RHSA-2015:1539", refsource: "REDHAT", tags: [], url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { name: "[camel-commits] 20190430 svn commit: r1044347 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0194.txt.asc security-advisories.html", refsource: "MLIST", tags: [], url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { name: "[camel-commits] 20190524 svn commit: r1045395 - in /websites/production/camel/content: cache/main.pageCache security-advisories.data/CVE-2019-0188.txt.asc security-advisories.html", refsource: "MLIST", tags: [], url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, ], }, }, impact: { baseMetricV2: { cvssV2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "MEDIUM", userInteractionRequired: false, }, }, lastModifiedDate: "2019-05-24T11:29Z", publishedDate: "2015-06-03T20:59Z", }, }, }
ghsa-3hrc-f439-727g
Vulnerability from github
Published
2018-10-16 23:08
Modified
2022-11-17 18:38
Summary
Apache Camel XML External Entity vulnerability
Details
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
{ affected: [ { package: { ecosystem: "Maven", name: "org.apache.camel:camel-core", }, ranges: [ { events: [ { introduced: "0", }, { fixed: "2.13.4", }, ], type: "ECOSYSTEM", }, ], }, { package: { ecosystem: "Maven", name: "org.apache.camel:camel-core", }, ranges: [ { events: [ { introduced: "2.14.0", }, { fixed: "2.14.2", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2015-0263", ], database_specific: { cwe_ids: [ "CWE-611", ], github_reviewed: true, github_reviewed_at: "2020-06-16T20:55:17Z", nvd_published_at: null, severity: "MODERATE", }, details: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", id: "GHSA-3hrc-f439-727g", modified: "2022-11-17T18:38:58Z", published: "2018-10-16T23:08:43Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-0263", }, { type: "WEB", url: "https://github.com/apache/camel/commit/06db9e0744f2bb9f6e3bf16c0dfe7099a3481558", }, { type: "WEB", url: "https://github.com/apache/camel/commit/367d53e73c8b5a1e73c24423e631709f9a96e08d", }, { type: "WEB", url: "https://github.com/apache/camel/commit/7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { type: "WEB", url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { type: "WEB", url: "https://git-wip-us.apache.org/repos/asf?p=camel.git;a=commitdiff;h=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { type: "ADVISORY", url: "https://github.com/advisories/GHSA-3hrc-f439-727g", }, { type: "PACKAGE", url: "https://github.com/apache/camel", }, { type: "WEB", url: "https://issues.apache.org/jira/browse/CAMEL-8312", }, { type: "WEB", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf@%3Ccommits.camel.apache.org%3E", }, { type: "WEB", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d@%3Ccommits.camel.apache.org%3E", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { type: "WEB", url: "http://www.securitytracker.com/id/1032442", }, ], schema_version: "1.4.0", severity: [], summary: "Apache Camel XML External Entity vulnerability", }
fkie_cve-2015-0263
Vulnerability from fkie_nvd
Published
2015-06-03 20:59
Modified
2025-04-12 10:46
Severity ?
Summary
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", matchCriteriaId: "3E65DC32-33D4-46FB-97AD-0ACF0DDF6E00", versionEndIncluding: "2.13.3", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:camel:2.14.0:*:*:*:*:*:*:*", matchCriteriaId: "BF8F319C-1212-4787-A1E8-15D576527EF2", vulnerable: true, }, { criteria: "cpe:2.3:a:apache:camel:2.14.1:*:*:*:*:*:*:*", matchCriteriaId: "17E12D85-196F-4723-A4EC-7DC900087AC5", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary files via an external entity in an SAXSource.", }, { lang: "es", value: "Vulnerabilidad de entidad externa XML (XXE) en el montaje del convertidor XML en converter/jaxp/XmlConverter.java en Apache Camel anterior a 2.13.4 y 2.14.x anterior a 2.14.2 p3ermite a atacantes remotos leer ficheros arbitrarios a través de una entidad externa en una SAXSource.", }, ], evaluatorComment: "<a href=\"http://cwe.mitre.org/data/definitions/611.html\">CWE-611: Improper Restriction of XML External Entity Reference ('XXE')</a>", id: "CVE-2015-0263", lastModified: "2025-04-12T10:46:40.837", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 10, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2015-06-03T20:59:02.917", references: [ { source: "secalert@redhat.com", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { source: "secalert@redhat.com", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { source: "secalert@redhat.com", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1032442", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { source: "secalert@redhat.com", url: "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, { source: "secalert@redhat.com", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1041.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Release Notes", ], url: "http://rhn.redhat.com/errata/RHSA-2015-1538.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2015-1539.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", "VDB Entry", ], url: "http://www.securitytracker.com/id/1032442", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://camel.apache.org/security-advisories.data/CVE-2015-0263.txt.asc", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://git-wip-us.apache.org/repos/asf?p=camel.git%3Ba=commitdiff%3Bh=7d19340bcdb42f7aae584d9c5003ac4f7ddaee36", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/2318d7f7d87724d8716cd650c21b31cb06e4d34f6d0f5ee42f28fdaf%40%3Ccommits.camel.apache.org%3E", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.apache.org/thread.html/b4014ea7c5830ca1fc28edd5cafedfe93ad4af2d9e69c961c5def31d%40%3Ccommits.camel.apache.org%3E", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Deferred", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-Other", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.