Bug 13836

Summary:	[CVE 21] dom4j 2.0.0 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	blocker
Priority:	Highest	CC:	a.proklov, e.kosachev, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified? a.proklov: published+
Target Milestone:	2021.1 Fresh R12
Hardware:	All
OS:	Linux
URL:	CVE-2018-1000632, CVE-2020-10683,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-10-18 20:25:05 MSK

Please patch CVEs for package dom4j version 2.0.0
  
INFO (CVEs are): dom4j 2.0.0
 cves found
CVE-2018-1000632
Desc: dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Link: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
Severity: HIGH
CVE-2020-10683
Desc: dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.
Link: https://nvd.nist.gov/vuln/detail/CVE-2020-10683
Severity: CRITICAL

Comment 1 Vladimir Potapov 2023-10-20 12:45:26 MSK

*** Bug 13704 has been marked as a duplicate of this bug. ***

Comment 2 Vladimir Potapov 2023-10-20 12:45:39 MSK

*** Bug 13516 has been marked as a duplicate of this bug. ***

Comment 3 Aleksandr Proklov 2023-10-24 05:11:37 MSK

Ничего не удается скомпилировать если сделать патчи, пробовал обновить до версии 2.0.2 и 2.0.3 - не собираются.

Comment 4 Svyatoslav Matveev 2023-12-12 15:36:45 MSK

********** QA ADVISORY **********

Уязвимости закрыты обновлением.

CVE-2018-1000632

fix patch
https://github.com/dom4j/dom4j/commit/e598eb43d418744c4dbf62f647dd2381c9ce9387

CVE-2020-10683

fix patch
https://github.com/dom4j/dom4j/commit/a8228522a99a02146106672a34c104adbda5c658

В версии 2.0.3 уязвимый код исправлен.

*** dom4j
**  upd: 2.0.0 .. 2.0.3

https://abf.io/build_lists/4885618
https://abf.io/build_lists/4885619

Comment 5 Dmitry Postnikov 2023-12-13 14:53:39 MSK

*****************************
Обновление отослано в Тестинг

Comment 6 Vladimir Potapov 2023-12-13 17:19:38 MSK

dom4j-2.0.3-1
https://abf.io/build_lists/4885618
https://abf.io/build_lists/4885619
************************* Advisory ***************************
CVEs fix by version update and patch
**************************************************************
QA Verified