Bug 1200629 (CVE-2021-41411)

Summary: VUL-0: CVE-2021-41411: drools: XXE injection in KieModuleMarshaller.java
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Leroy <thomas.leroy>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: cathy.hu, michele.bussolotto, rfrohl, security-team, stoyan.manolov, thomas.leroy
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/334934/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-41411:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Leroy 2022-06-17 09:15:44 UTC 
CVE-2021-41411

drools <=7.59.x is affected by an XML External Entity (XXE) vulnerability in
KieModuleMarshaller.java. The Validator class is not used correctly, resulting
in the XXE injection vulnerability.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-41411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41411
https://github.com/kiegroup/drools/pull/3808
http://www.cvedetails.com/cve/CVE-2021-41411/
Comment 1 Thomas Leroy 2022-06-17 09:18:38 UTC 
No bugowner/maintainer is assigned for this package...
@Frantisek, I saw you submitted the last version update for drools, so I assigned this bug to you, but let me know if someone else would be a better fit.

The following codestreams are affected:
- SUSE:SLE-15-SP2:Update:Products:Manager41:Update 
- SUSE:SLE-15-SP3:Update:Products:Manager42:Update
- SUSE:SLE-15-SP4:Update:Products:Manager43:Update
Comment 2 Michele Bussolotto 2022-07-12 10:16:13 UTC 
reassigned to Thomas Florio (@Frantisek is no longer is SUSE)
Comment 4 Thomas Florio 2022-08-12 12:35:18 UTC 
We discussed this within the team and since the security issue is not under embargo nor there is a deadline for the release, the fix is currently submitted to the SUSE Manager development code streams:

Devel:Galaxy:Manager:Head:Other
Devel:Galaxy:Manager:4.3
Devel:Galaxy:Manager:4.2

It will be available with the next scheduled MUs. The fix will not be available for Manager 4.1 though, since no further MUs are scheduled for it.

Please let us know if this solution is acceptable.
Comment 6 Thomas Florio 2022-08-12 16:38:54 UTC 
(In reply to Thomas Leroy from comment #5)
> Thanks for your work Thomas. I think that's fine for SUMA 4.2 and 4.3. But
> for 4.1, does it mean that it's already EoL?

The last Manager 4.1 scheduled release was 4.1.15, on the 20th June. 

From my understanding, we would do an additional unscheduled MU only in case of an L3. So version 4.1 is still supported until the end of October, but only if we have a direct customer request.

If you want, I can try to discuss this again next week to see if we could have an additional release for this fix.
Comment 7 Thomas Leroy 2022-08-24 08:59:32 UTC 
(In reply to Thomas Florio from comment #6)
> (In reply to Thomas Leroy from comment #5)
> > Thanks for your work Thomas. I think that's fine for SUMA 4.2 and 4.3. But
> > for 4.1, does it mean that it's already EoL?
> 
> The last Manager 4.1 scheduled release was 4.1.15, on the 20th June. 
> 
> From my understanding, we would do an additional unscheduled MU only in case
> of an L3. So version 4.1 is still supported until the end of October, but
> only if we have a direct customer request.
> 
> If you want, I can try to discuss this again next week to see if we could
> have an additional release for this fix.

If an MU is doable in a reasonable amount of work/time, it would be appreciable. Otherwise, I will leave 4.1 as still affected, and wait for eventual L3 requests.
Comment 8 Thomas Florio 2022-09-07 08:51:42 UTC 
(In reply to Thomas Leroy from comment #7)
> Otherwise, I will leave 4.1 as still affected, and wait for eventual L3 requests.

That's the approach decided by the team. 4.2 and 4.3 will be fixed by their next respective MUs. If we release an new MU for 4.1, I'll make sure this fix is part of it.
Comment 12 Swamp Workflow Management 2022-09-19 19:22:22 UTC 
SUSE-SU-2022:3314-1: An update that solves four vulnerabilities and has 35 fixes is now available.

Category: security (critical)
Bug References: 1172705,1187028,1195455,1195895,1196729,1198168,1198489,1198738,1198903,1199372,1199659,1199913,1199950,1200276,1200296,1200480,1200532,1200573,1200591,1200629,1201142,1201189,1201210,1201220,1201224,1201527,1201606,1201607,1201626,1201753,1201913,1201918,1202142,1202272,1202464,1202728,1203287,1203288,1203449
CVE References: CVE-2021-41411,CVE-2021-42740,CVE-2021-43138,CVE-2022-31129
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    drools-7.17.0-150300.4.6.2, httpcomponents-asyncclient-4.1.4-150300.3.3.2, image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2, inter-server-sync-0.2.3-150300.8.22.2, patterns-suse-manager-4.2-150300.4.12.2, py27-compat-salt-3000.3-150300.7.7.23.2, salt-netapi-client-0.20.0-150300.3.9.4, saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2, spacecmd-4.2.19-150300.4.27.2, spacewalk-admin-4.2.12-150300.3.15.3, spacewalk-backend-4.2.24-150300.4.29.5, spacewalk-certs-tools-4.2.18-150300.3.24.3, spacewalk-client-tools-4.2.20-150300.4.24.3, spacewalk-java-4.2.41-150300.3.43.5, spacewalk-search-4.2.8-150300.3.12.2, spacewalk-web-4.2.29-150300.3.27.3, subscription-matcher-0.29-150300.6.12.2, susemanager-4.2.37-150300.3.41.1, susemanager-doc-indexes-4.2-150300.12.33.4, susemanager-docs_en-4.2-150300.12.33.2, susemanager-schema-4.2.24-150300.3.27.3, susemanager-sls-4.2.27-150300.3.33.4, uyuni-common-libs-4.2.7-150300.3.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2022-09-19 19:29:21 UTC 
SUSE-SU-2022:3313-1: An update that solves four vulnerabilities and has 36 fixes is now available.

Category: security (critical)
Bug References: 1172705,1187028,1195455,1195895,1196729,1198168,1198489,1198738,1198903,1199372,1199659,1199913,1199950,1200276,1200296,1200480,1200532,1200573,1200591,1200629,1201142,1201189,1201210,1201220,1201224,1201527,1201606,1201607,1201626,1201753,1201913,1201918,1202142,1202272,1202464,1202724,1202728,1203287,1203288,1203449
CVE References: CVE-2021-41411,CVE-2021-42740,CVE-2021-43138,CVE-2022-31129
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.9-150300.3.54.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.9-150300.3.43.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.9-150300.3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-09-19 19:34:44 UTC 
SUSE-SU-2022:3314-1: An update that solves four vulnerabilities and has 36 fixes is now available.

Category: security (critical)
Bug References: 1172705,1187028,1195455,1195895,1196729,1198168,1198489,1198738,1198903,1199372,1199659,1199913,1199950,1200276,1200296,1200480,1200532,1200573,1200591,1200629,1201142,1201189,1201210,1201220,1201224,1201527,1201606,1201607,1201626,1201753,1201913,1201918,1202142,1202272,1202464,1202724,1202728,1203287,1203288,1203449
CVE References: CVE-2021-41411,CVE-2021-42740,CVE-2021-43138,CVE-2022-31129
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    drools-7.17.0-150300.4.6.2, httpcomponents-asyncclient-4.1.4-150300.3.3.2, image-sync-formula-0.1.1661440526.b08d95b-150300.3.3.2, inter-server-sync-0.2.3-150300.8.22.2, patterns-suse-manager-4.2-150300.4.12.2, py27-compat-salt-3000.3-150300.7.7.23.2, salt-netapi-client-0.20.0-150300.3.9.4, saltboot-formula-0.1.1661440526.b08d95b-150300.3.12.2, spacecmd-4.2.19-150300.4.27.2, spacewalk-admin-4.2.12-150300.3.15.3, spacewalk-backend-4.2.24-150300.4.29.5, spacewalk-certs-tools-4.2.18-150300.3.24.3, spacewalk-client-tools-4.2.20-150300.4.24.3, spacewalk-java-4.2.41-150300.3.43.5, spacewalk-search-4.2.8-150300.3.12.2, spacewalk-web-4.2.29-150300.3.27.3, subscription-matcher-0.29-150300.6.12.2, susemanager-4.2.37-150300.3.41.1, susemanager-doc-indexes-4.2-150300.12.33.4, susemanager-docs_en-4.2-150300.12.33.2, susemanager-schema-4.2.24-150300.3.27.3, susemanager-sls-4.2.27-150300.3.33.4, uyuni-common-libs-4.2.7-150300.3.9.2
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.2 (src):    mgr-daemon-4.2.10-150300.2.9.4, patterns-suse-manager-4.2-150300.4.12.2, spacecmd-4.2.19-150300.4.27.2, spacewalk-backend-4.2.24-150300.4.29.5, spacewalk-certs-tools-4.2.18-150300.3.24.3, spacewalk-client-tools-4.2.20-150300.4.24.3, spacewalk-proxy-4.2.12-150300.3.21.3, spacewalk-web-4.2.29-150300.3.27.3, susemanager-tftpsync-recv-4.2.5-150300.3.6.2, uyuni-common-libs-4.2.7-150300.3.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2022-10-26 13:52:58 UTC 
SUSE-SU-2022:3750-1: An update that solves 5 vulnerabilities, contains one feature and has 40 fixes is now available.

Category: security (moderate)
Bug References: 1191857,1195624,1196729,1197027,1198168,1198903,1199726,1200480,1200573,1200629,1201210,1201220,1201260,1201589,1201626,1201753,1201788,1201913,1201918,1202271,1202272,1202367,1202455,1202464,1202602,1202728,1202729,1202805,1202899,1203026,1203049,1203056,1203169,1203287,1203288,1203385,1203406,1203422,1203449,1203478,1203484,1203564,1203585,1203611,1204208
CVE References: CVE-2021-41411,CVE-2021-42740,CVE-2021-43138,CVE-2022-0860,CVE-2022-31129
JIRA References: SUMA-112
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (src):    cobbler-3.3.3-150400.5.7.1, drools-7.17.0-150400.3.6.1, image-sync-formula-0.1.1661440542.6cbe0da-150400.3.6.1, inter-server-sync-0.2.3-150400.3.6.1, locale-formula-0.3-150400.3.3.1, python-magic-5.32-150000.7.16.1, python-schema-0.6.7-150400.10.3.1, python-urlgrabber-4.1.0-150400.3.6.1, reprepro-5.4.0-150400.3.6.1, saltboot-formula-0.1.1661440542.6cbe0da-150400.3.3.1, spacecmd-4.3.15-150400.3.6.4, spacewalk-admin-4.3.10-150400.3.3.2, spacewalk-backend-4.3.16-150400.3.6.8, spacewalk-certs-tools-4.3.15-150400.3.6.2, spacewalk-client-tools-4.3.12-150400.3.6.6, spacewalk-java-4.3.38-150400.3.8.3, spacewalk-search-4.3.7-150400.3.6.2, spacewalk-setup-4.3.12-150400.3.8.1, spacewalk-utils-4.3.14-150400.3.6.3, spacewalk-web-4.3.24-150400.3.6.4, subscription-matcher-0.29-150400.3.7.1, susemanager-4.3.19-150400.3.6.4, susemanager-build-keys-15.4.3-150400.3.6.1, susemanager-docs_en-4.3-150400.9.6.1, susemanager-schema-4.3.14-150400.3.6.5, susemanager-sls-4.3.25-150400.3.6.4, susemanager-sync-data-4.3.9-150400.3.3.1, susemanager-tftpsync-4.3.2-150400.3.3.4, uyuni-common-libs-4.3.6-150400.3.6.4, uyuni-reportdb-schema-4.3.6-150400.3.3.6
SUSE Linux Enterprise Module for SUSE Manager Proxy 4.3 (src):    mgr-daemon-4.3.6-150400.3.6.4, spacecmd-4.3.15-150400.3.6.4, spacewalk-backend-4.3.16-150400.3.6.8, spacewalk-certs-tools-4.3.15-150400.3.6.2, spacewalk-client-tools-4.3.12-150400.3.6.6, spacewalk-web-4.3.24-150400.3.6.4, susemanager-build-keys-15.4.3-150400.3.6.1, susemanager-tftpsync-recv-4.3.7-150400.3.3.3, uyuni-common-libs-4.3.6-150400.3.6.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2022-10-26 14:00:15 UTC 
SUSE-SU-2022:3761-1: An update that solves 5 vulnerabilities and has 39 fixes is now available.

Category: security (moderate)
Bug References: 1191857,1195624,1196729,1197027,1198168,1198903,1199726,1200480,1200573,1200629,1201210,1201220,1201260,1201589,1201626,1201753,1201788,1201913,1201918,1202271,1202272,1202367,1202455,1202464,1202602,1202728,1202729,1202805,1202899,1203026,1203049,1203056,1203169,1203287,1203288,1203385,1203406,1203422,1203449,1203478,1203484,1203564,1203585,1203611
CVE References: CVE-2021-41411,CVE-2021-42740,CVE-2021-43138,CVE-2022-0860,CVE-2022-31129
JIRA References: 
Sources used:
SUSE Manager Server 4.3 (src):    release-notes-susemanager-4.3.2-150400.3.15.1
SUSE Manager Retail Branch Server 4.3 (src):    release-notes-susemanager-proxy-4.3.2-150400.3.9.3
SUSE Manager Proxy 4.3 (src):    release-notes-susemanager-proxy-4.3.2-150400.3.9.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.