XXE attack in Apache Oozie

#VU10632 XXE attack in Apache Oozie

Published: 2018-02-19

Vulnerability identifier: #VU10632

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-15712

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Oozie
Client/Desktop applications / Software for system administration

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform XXE attack.

The weakness exists due to constructing a workflow XML file containing XML directives. A remote attacker can obtain private files on the server process.

Mitigation
Update to version 4.3.1 or later.

Vulnerable software versions

Apache Oozie: 3.1.3 - 4.3.0

External links
http://mail-archives.us.apache.org/mod_mbox/www-announce/201802.mbox/%3CCABBupGWtC2vN-JzXWeuDaN-_bP6...

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloudera Data Platform Private Cloud Base with IBM (CDP)

Information disclosure in Apache Oozie