[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache Ignite
- To: user@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx, announce@xxxxxxxxxx, Pierre Ernst <pernst@xxxxxxxxxxxxxx>, security <security@xxxxxxxxxx>
- Subject: [CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache Ignite
- From: Denis Magda <dmagda@xxxxxxxxxx>
- Date: Fri, 7 Apr 2017 12:29:13 -0400
[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache
Ignite
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Ignite 1.0.0-RC3 to 1.8
Description:
Apache Ignite uses an update notifier component to update the users about new
project releases that include additional functionality, bug fixes and
performance improvements. To do that the component communicates to an external
PHP server (http://ignite.run) where it needs to send some system properties
like Apache Ignite or Java version. This feature is enabled by default and used
to send sensitive data over HTTP by mistake, such as installation folders or
environment variables stored in Java system properties. The second issue is
because TLS is not used between the application and the PHP server, a
Man-in-the-middle attack is possible and a malicious actor could alter the
response coming from the ignite.run server. This response is parsed by the
Apache ignite component as XML, and a XXE attack can be triggered.
Both issues mentioned above were fixed as a part of Apache Ignite 1.9 release.
The relevant commits with the changes:
Mitigation:
Users must upgrade to Apache Ignite 1.9 or later versions or disable the update
notifier.
Credit:
Pierre Ernst, Salesforce