Bug 1133198 - (CVE-2019-5427) VUL-1: CVE-2019-5427: c3p0: version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
(CVE-2019-5427)
VUL-1: CVE-2019-5427: c3p0: version < 0.9.5.4 may be exploited by a billion l...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/230111/
CVSSv3:SUSE:CVE-2019-5427:5.7:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-24 06:01 UTC by Marcus Meissner
Modified: 2022-04-25 19:35 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-04-24 06:01:43 UTC
CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading
XML configuration due to missing protections against recursive entity expansion
when loading configuration.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5427
http://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5427.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
http://www.cvedetails.com/cve/CVE-2019-5427/
https://hackerone.com/reports/509315
Comment 1 Marcus Meissner 2019-04-24 06:02:26 UTC
only in SUSE Manager here, not clear how much untrusted input this could get
Comment 2 Michael Calmer 2022-02-09 16:13:05 UTC
Seems to be the commit which fix the problem.

https://github.com/swaldman/c3p0/commit/f38f27635c384806c2a9d6500d80183d9f09d78b

Maybe we should also think about updating to a newer version at least for 4.3
Comment 5 Michael Calmer 2022-03-06 13:56:10 UTC
Will go out with the next regular maintenance updates for 4.1 and 4.2.
Also available for 4.3/Beta and Uyuni.

Re-assign to security-team for tracking.
Comment 7 Swamp Workflow Management 2022-03-10 14:26:51 UTC
SUSE-RU-2022:0795-1: An update that has 12 recommended fixes can now be installed.

Category: recommended (moderate)
Bug References: 1097531,1133198,1190781,1191360,1192510,1192566,1192822,1193565,1194044,1194363,1195043,1195282
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.14-3.73.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.14-3.53.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.14-3.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-03-10 14:28:58 UTC
SUSE-SU-2022:0798-1: An update that solves two vulnerabilities and has 11 fixes is now available.

Category: security (moderate)
Bug References: 1097531,1133198,1190781,1191360,1192510,1192566,1192822,1193565,1194044,1194363,1194464,1195043,1195282
CVE References: CVE-2018-20433,CVE-2019-5427
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    c3p0-0.9.5.5-3.3.2, dhcpd-formula-0.1.1641480250.d5bd14c-3.3.2, hub-xmlrpc-api-0.7-3.9.2, py26-compat-msgpack-python-0.4.6-3.6.2, py27-compat-salt-3000.3-6.21.2, spacecmd-4.1.17-4.36.2, spacewalk-java-4.1.44-3.66.2, spacewalk-web-4.1.32-3.42.2, susemanager-4.1.33-3.45.2, susemanager-doc-indexes-4.1-11.52.2, susemanager-docs_en-4.1-11.52.2, susemanager-schema-4.1.25-3.42.2, susemanager-sls-4.1.34-3.59.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-04-25 19:21:44 UTC
SUSE-SU-2022:1397-1: An update that solves two vulnerabilities and has 31 fixes is now available.

Category: security (moderate)
Bug References: 1133198,1173527,1186336,1191360,1191597,1192150,1192822,1193448,1194363,1194447,1194464,1194909,1195043,1195145,1195271,1195282,1195294,1195666,1195712,1195750,1195757,1195762,1195765,1195772,1195920,1196067,1196094,1196407,1196455,1196693,1196704,1196977,1197007
CVE References: CVE-2018-20433,CVE-2019-5427
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.2 (src):    c3p0-0.9.5.5-150300.4.6.1, grafana-formula-0.7.0-150300.3.6.1, hub-xmlrpc-api-0.7-150300.3.6.1, inter-server-sync-0.1.0-150300.8.12.1, mgr-osad-4.2.8-150300.2.9.1, mgr-push-4.2.5-150300.2.9.1, patterns-suse-manager-4.2-150300.4.9.1, prometheus-exporters-formula-1.2.0-150300.3.9.1, py26-compat-msgpack-python-0.4.6-150300.4.3.1, rhnlib-4.2.6-150300.4.9.1, saltboot-formula-0.1.1645440615.7f1328c-150300.3.9.1, smdba-1.7.10-0.150300.3.3.1, spacecmd-4.2.16-150300.4.18.1, spacewalk-admin-4.2.10-150300.3.9.1, spacewalk-backend-4.2.20-150300.4.18.1, spacewalk-branding-4.2.13-150300.3.9.1, spacewalk-certs-tools-4.2.15-150300.3.15.1, spacewalk-client-tools-4.2.18-150300.4.18.1, spacewalk-config-4.2.6-150300.3.6.1, spacewalk-java-4.2.34-150300.3.26.2, spacewalk-web-4.2.26-150300.3.18.2, subscription-matcher-0.29-150300.6.6.1, supportutils-plugin-susemanager-4.2.4-150300.3.6.1, suseRegisterInfo-4.2.6-150300.4.9.1, susemanager-4.2.28-150300.3.22.1, susemanager-doc-indexes-4.2-150300.12.22.1, susemanager-docs_en-4.2-150300.12.22.1, susemanager-schema-4.2.21-150300.3.18.1, susemanager-sls-4.2.21-150300.3.20.1, virtualization-formulas-0.6.2-150300.8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-04-25 19:35:06 UTC
SUSE-RU-2022:1387-1: An update that has 34 recommended fixes can now be installed.

Category: recommended (low)
Bug References: 1133198,1173527,1186336,1191360,1191597,1192150,1192822,1193448,1194363,1194447,1194464,1194909,1195043,1195145,1195271,1195282,1195294,1195666,1195712,1195750,1195757,1195762,1195765,1195772,1195920,1196067,1196094,1196407,1196455,1196693,1196704,1196977,1197007,1197579
CVE References: 
JIRA References: 
Sources used:
SUSE Manager Server 4.2 (src):    release-notes-susemanager-4.2.6-150300.3.37.1
SUSE Manager Retail Branch Server 4.2 (src):    release-notes-susemanager-proxy-4.2.6-150300.3.26.1
SUSE Manager Proxy 4.2 (src):    release-notes-susemanager-proxy-4.2.6-150300.3.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.