CVE-2015-3192 DoS Attack with XML Input
Description
XML external entities were previously disabled with the publication of http://pivotal.io/security/cve-2013-6429. If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.
This is now done in the Spring Framework by default wherever the framework sets up XML parsing from external sources. Mainly this includes the Unmarshaller implementations in spring-oxm and the HttpMessageConverter implementations in spring-web.
Note that further actions may need to be taken by applications in particular where use of StAX is concerned. For example IBM JDK 1.6 and 1.7 require an environment variable in addition to setting supportDTD=false (see IBM JDK reference). Moreover we’ve found that supportDTD alone does not protect against all kinds of DoS attacks with JDK JAXP implementations. Hence we recommend using the Woodstox open source library for StAX parsing.
The following describes when StAX is used in the Spring Framework:
SourceHttpMessageConverter-- enabled by default. The converter was added in 3.2 while StAX support was added in 4.0.1 and is used when converting to Spring MVC controller method argument of typejavax.xml.transform.stax.StAXSource.Jaxb2CollectionHttpMessageConverter-- not enabled by default. This converter was added in 3.2.MappingJackson2XmlHttpMessageConverter-- enabled when “jackson-dataformat-xml” is present on the classpath. This converter was added in 4.1.
Affected Spring Products and Versions
- Spring Framework 3.2.0 to 3.2.13
- Spring Framework 4.0.0 to 4.1.6
- Other unsupported versions are also affected
Mitigation
Users of affected Spring Framework versions should upgrade as follows:
- For 3.2.x upgrade to <strong>3.2.14+</strong>
- For 4.0.x and 4.1.x upgrade to <strong>4.1.7+</strong>
In addition, applications that consume XML input via StAX from external sources should also use and/or upgrade to a recent version of the Woodstox library, e.g. version 4.2+ (4.2.1 is the currently curated version in the Spring IO Platform).
Notes on adding Woodstox:
StAX defines a standard mechanism for selecting which StAX implementation to use when more than one is available including system properties and service definitions under WEB-INF/services. Woodstox includes the necessary service definitions so that simply adding it to the classpath should work. However some application servers such as WebLogic already bundle (an older version) of Woodstox in which case you may need to configure the server to prefer the one chosen by the application, see this reference on prefer-application-packages.
Credit
This issue was identified responsibly and reported to Pivotal by Toshiaki Maki of NTT DATA Corporation who also helped to develop and test the solution.
