[JIRA] (WHAN-50) CVE-2021-33813: High vulnerability in jdom2:2.0.6 dependency of io.wcm.handler.commons

[sunaric@gmail.com (JIRA)]

sun...@gmail.com created WHAN-50:
-------------------------------------

Summary: CVE-2021-33813: High vulnerability in jdom2:2.0.6 dependency of io.wcm.handler.commons
Key: WHAN-50
URL: https://wcm-io.atlassian.net/browse/WHAN-50
Project: wcm.io Handler
Issue Type: Bug
Components: Commons
Reporter: sun...@gmail.com


It affects all versions of org.jdom.jdom2 up to including 2.0.6
Version 2.0.6.1 is however already available.

See more details:
https://github.com/advisories/GHSA-2363-cqg2-863c

I'd suggest to update the jdom2 version in io.wcm.handler.parent



--
This message was sent by Atlassian Jira
(v1001.0.0-SNAPSHOT#100187)

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seifert reassigned WHAN-50:
----------------------------------

Assignee: Stefan Seifert (was: Unassigned)

i'll have a look

> CVE-2021-33813: High vulnerability in jdom2:2.0.6 dependency of io.wcm.handler.commons

> --------------------------------------------------------------------------------------

>
> Key: WHAN-50
> URL: https://wcm-io.atlassian.net/browse/WHAN-50
> Project: wcm.io Handler
> Issue Type: Bug
> Components: Commons

> Reporter: Michael Sunaric
> Assignee: Stefan Seifert

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21423#comment-21423 ]

Stefan Seifert commented on WHAN-50:
------------------------------------

hmm - jdom 2.0.6.1 is a non-trivial release which contains much more features than just this fix or other cosmetic stuff. it seems it contains new features from a different branch back to 2013:
https://github.com/hunterhacker/jdom/compare/JDOM-2.0.6...JDOM-2.0.6.1

however, as we are only using a subset of JDOM it's probably fine and it should work without problems. (but it may also introduce new vulnerabilities).

concerning the actual CVE-2021-33813: we are actually using SAXBuilder in richtext handler to parse XHTML fragments created with AEM rich text editor - which is user input which was stored in repository. meaning someone who has access to the author instance, or write access to the repository, may be able to inject an XTHML snippet with such an attack.

i'm considering additionally to updating to 2.6.0.1 to apply "builder.setExpandEntities(false)" on our rich text parsing logic (as discussed in https://github.com/hunterhacker/jdom/pull/188 as initial workaround).

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21424#comment-21424 ]

Stefan Seifert commented on WHAN-50:
------------------------------------

some articles what XXE is about:
* https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
* https://portswigger.net/web-security/xxe

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21425#comment-21425 ]

Stefan Seifert commented on WHAN-50:
------------------------------------

another important read it the actual JDOM github issue: https://github.com/hunterhacker/jdom/issues/189
* it also discusses that 2.0.6.1 contains a lot of other changes and is thus a bit ill-named: https://github.com/hunterhacker/jdom/issues/189#issuecomment-990613330
* and - important - just updating to 2.0.6.1 does not actually fix a potential XXE: https://github.com/hunterhacker/jdom/issues/189#issuecomment-885505756

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21426#comment-21426 ]

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21426#comment-21426 ]

Stefan Seifert edited comment on WHAN-50 at 12/17/21 1:12 PM:
--------------------------------------------------------------

i've implemented a PR https://github.com/wcm-io/wcm-io-handler/pull/29 with precautionary improvements including the update to 2.0.6.1.

after doing deeper checks i'm quite convinced that an attack was never possible even if an attacker had access to an author instance or repository: all rich text XHTML fragments that are parsed are always wrapped in a <root>...</root> element. if someone entered a DOCTYPE into the fragment, parsing always fails (added a unit test for that) - the DOCTYPE never gets evaluated.

nevertheless i've configured the SAXBuilder which is used to do the parsing more conservatively applying the recommendations from this cheat sheet where appropriate:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxbuilder

*it is still possible that custom project code is using the JDOM library exported by us is vulnerable to XXE attacks. deploying the updated version with 2.0.6.1 is likely to not fix that attack vector - you still have to do a review of your code.* but for the code that comes with the wcm.io libraries we should be fine.


was (Author: sseifert):

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21426#comment-21426 ]

Stefan Seifert edited comment on WHAN-50 at 12/17/21 1:20 PM:

--------------------------------------------------------------

i've implemented a PR https://github.com/wcm-io/wcm-io-handler/pull/29 with precautionary improvements including the update to 2.0.6.1.

after doing deeper checks i'm quite convinced that an *attack via Rich Text Handler was never possible* even if an attacker had access to an author instance or repository: all rich text XHTML fragments that are parsed are always wrapped in a <root>...</root> element. if someone entered a DOCTYPE into the fragment, parsing always fails (added a unit test for that) - the DOCTYPE never gets evaluated.

nevertheless i've configured the SAXBuilder which is used to do the parsing more conservatively applying the recommendations from this cheat sheet where appropriate:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxbuilder

*it is still possible that custom project code is using the JDOM library exported by us is vulnerable to XXE attacks. deploying the updated version with 2.0.6.1 will likely not fix that attack vector - you still have to do a review of your code.* but for the code that comes with the wcm.io libraries we should be fine.

was (Author: sseifert):
i've implemented a PR https://github.com/wcm-io/wcm-io-handler/pull/29 with precautionary improvements including the update to 2.0.6.1.

after doing deeper checks i'm quite convinced that an attack was never possible even if an attacker had access to an author instance or repository: all rich text XHTML fragments that are parsed are always wrapped in a <root>...</root> element. if someone entered a DOCTYPE into the fragment, parsing always fails (added a unit test for that) - the DOCTYPE never gets evaluated.

nevertheless i've configured the SAXBuilder which is used to do the parsing more conservatively applying the recommendations from this cheat sheet where appropriate:
https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html#saxbuilder

*it is still possible that custom project code is using the JDOM library exported by us is vulnerable to XXE attacks. deploying the updated version with 2.0.6.1 is likely to not fix that attack vector - you still have to do a review of your code.* but for the code that comes with the wcm.io libraries we should be fine.

[Michael Sunaric (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21427#comment-21427 ]

Michael Sunaric commented on WHAN-50:
-------------------------------------

wow, thanks for the ultra-fast response

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=21428#comment-21428 ]

Stefan Seifert commented on WHAN-50:
------------------------------------

there are currently [staging issues|https://status.maven.org/] on oss.sonatype.org, so i will probably not get out the releases today. will try again later or monday by latest.

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seifert updated WHAN-50:
-------------------------------
Components: Richtext Handler

> CVE-2021-33813: High vulnerability in jdom2:2.0.6 dependency of io.wcm.handler.commons
> --------------------------------------------------------------------------------------
>
> Key: WHAN-50
> URL: https://wcm-io.atlassian.net/browse/WHAN-50
> Project: wcm.io Handler
> Issue Type: Bug

> Components: Commons, Richtext Handler

[Stefan Seifert (JIRA)]

[ https://wcm-io.atlassian.net/browse/WHAN-50?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Seifert resolved WHAN-50.
--------------------------------
Fix versions: RichText Handler 1.5.8
Handler Commons 1.4.4
Resolution: Fixed

fixed in:
* io.wcm.handler.commons 1.4.4
* io.wcm.handler.richtext 1.5.8

> CVE-2021-33813: High vulnerability in jdom2:2.0.6 dependency of io.wcm.handler.commons
> --------------------------------------------------------------------------------------
>
> Key: WHAN-50
> URL: https://wcm-io.atlassian.net/browse/WHAN-50
> Project: wcm.io Handler
> Issue Type: Bug
> Components: Commons, Richtext Handler
> Reporter: Michael Sunaric
> Assignee: Stefan Seifert

> Fix For: Handler Commons 1.4.4, RichText Handler 1.5.8