Bug 1169760 - (CVE-2020-10683) VUL-0: CVE-2020-10683: dom4j: XML External Entity vulnerability in default SAX parser
(CVE-2020-10683)
VUL-0: CVE-2020-10683: dom4j: XML External Entity vulnerability in default SA...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/257202/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-17 11:21 UTC by Alexandros Toptsoglou
Modified: 2020-10-21 09:26 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
Backported patch for version 1.6.1 (19.69 KB, patch)
2020-04-27 15:39 UTC, Pedro Monreal Gonzalez
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2020-04-17 11:21:58 UTC
CVE-2020-10683

A flaw was found in dom4j library. By using the default SaxReader() provided by Dom4J, external DTDs and External Entities are allowed, resulting in a possible XXE.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1694235
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10683
https://access.redhat.com/security/cve/CVE-2020-10683
Comment 1 Alexandros Toptsoglou 2020-04-17 11:23:54 UTC
Tracked both SLE12 and SLE1 as affected. Factory should also be patched
Comment 2 Alexandros Toptsoglou 2020-04-17 11:24:52 UTC
(In reply to Alexandros Toptsoglou from comment #1)
> Tracked both SLE12 and SLE1 as affected. Factory should also be patched

TYPO: Tracked both SLE12 and SLE15 as affected. Factory is also affected.
Comment 3 Pedro Monreal Gonzalez 2020-04-17 12:02:24 UTC
Upstream patches:

* For version 2.1.x:
  https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

* For version 2.0.x:
  https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658
Comment 4 Pedro Monreal Gonzalez 2020-04-27 15:39:29 UTC
Created attachment 836877 [details]
Backported patch for version 1.6.1
Comment 5 Pedro Monreal Gonzalez 2020-04-27 15:47:24 UTC
Factory submission:
   https://build.opensuse.org/request/show/798322
Comment 6 Pedro Monreal Gonzalez 2020-04-27 16:24:59 UTC
(In reply to Pedro Monreal Gonzalez from comment #4)
> Created attachment 836877 [details]
> Backported patch for version 1.6.1

The fix is basically a revert of the mentioned commit, see upstream bug:
   https://github.com/dom4j/dom4j/issues/51
Comment 9 Swamp Workflow Management 2020-05-22 10:16:33 UTC
SUSE-SU-2020:1383-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1169760
CVE References: CVE-2020-10683
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.0 (src):    dom4j-1.6.1-4.9.4

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-05-22 10:17:19 UTC
SUSE-SU-2020:1382-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1169760
CVE References: CVE-2020-10683
Sources used:
SUSE Manager Server 3.2 (src):    dom4j-1.6.1-27.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-05-26 13:21:39 UTC
openSUSE-SU-2020:0719-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1169760
CVE References: CVE-2020-10683
Sources used:
openSUSE Leap 15.1 (src):    dom4j-1.6.1-lp151.6.3.1
Comment 12 Alexandros Toptsoglou 2020-06-30 07:57:53 UTC
Done