Play Framework Security Advisory

XML External Entities

CVE-ID

CVE-2014-3630

Date

7 Oct 2014

Update 19 Nov 2014: Play 2.2.6 released with fix.

Description

A vulnerability has been found in Play’s Java XML processing.

An attacker may use XML external entities to read files from the file system, internal network, or DoS the application.

Impact

Any application that uses the Java play.libs.XML API directly to parse XML from an untrusted source, or uses Plays WS client API to parse XML responses from an untrested server.

Specifically, this vulnerability does not affect Java actions that receive requests that contain XML bodies. It also does not affect any Scala XML processing APIs offered in Play.

Affected Versions

• Play 2.0 - 2.3.4

Workarounds

Do not use the play.libs.XML API to parse XML, rather use a DocumentBuilderFactory configured as described by OWASP here.

Do not use the play.libs.ws.WSResponse.asXml method, rather use the getBody method, and parse it using a securely configured DocumentBuilderFactory.

Fixes

Upgrade to Play 2.3.5 or Play 2.2.6.

CVSS metrics (more info)

• Base: 4.0
  AV:N/AC:H/Au:N/C:P/I:N/A:P
• Temporal: 3.1
  E:POC/RL:OF/RC:C
• Environmental: 1.0
  CDP:ND/TD:L/CR:H/IR:H/AR:ND
  Environmental scores are assuming typical internet systems. Actual environmental scores for your organisation may differ.

Acknowledgements

Credit for finding this vulnerability goes to David Jorm of Red Hat Product Security.