XML External Entity Injection (XXE)

CRITICAL | JANUARY 14, 2019 | CVE-2019-3772

Description

Spring Integration (spring-integration-xml and spring-integration-ws modules), versions 4.3.18, 5.0.10, 5.1.1, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.

Affected Spring Products and Versions

Spring Integration:

  • 5.1.1 - 5.1.1
  • 5.0.10 - 5.0.10
  • 4.3.18 and earlier

Mitigation

Users of affected versions should upgrade to the corresponding fixed version.
Fix versionAvailability
5.1.2OSS
5.0.11OSS
4.3.19OSS
  • Spring Integration components that exhibited this vulnerability now disable the features as advised in the reference cheat sheet [1] by default, but allow user configuration of the components if the feature can be enabled because XML is received from a trusted source.

History

  • 2019-01-14: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all