Vulnerability CVE-2019-12400

Vulnerability Name:

CVE-2019-12400 (CCN-165748)

Assigned:

2019-08-23

Published:

2019-08-23

Updated:

2022-04-13

Summary:

In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this implementation might be cached and re-used by Apache Santuario - XML Security for Java, leading to potential security flaws when validating signed documents, etc. The vulnerability affects Apache Santuario - XML Security for Java 2.0.x releases from 2.0.3 and all 2.1.x releases before 2.1.4.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): High Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

1.9 Low (CVSS v2 Vector: AV:L/AC:M/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2019-12400

Source: CCN
Type: Apache Santuario Security Advisory
CVE-2019-12400: Apache Santuario potentially loads XML parsing code from an untrusted source

Source: CONFIRM
Type: Vendor Advisory
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0804

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0805

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0806

Source: REDHAT
Type: Third Party Advisory
RHSA-2020:0811

Source: XF
Type: UNKNOWN
apache-santuario-cve201912400-weak-security(165748)

Source: MLIST
Type: Issue Tracking, Vendor Advisory
[santuario-dev] 20190905 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source

Source: MLIST
Type: Issue Tracking, Vendor Advisory
[santuario-dev] 20190906 Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-commits] 20200720 [jira] [Assigned] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400

Source: MLIST
Type: Mailing List, Patch, Vendor Advisory
[santuario-commits] 20210917 svn commit: r1076843 - in /websites/production/santuario/content: cache/main.pageCache index.html javaindex.html secadv.data/CVE-2021-40690.txt.asc secadv.html

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-commits] 20200324 [jira] [Created] (TOMEE-2791) TomEE plus(7.0.7) is affected by CVE-2019-12400 vulnerability

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-commits] 20200720 [jira] [Created] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomee-commits] 20200720 [jira] [Commented] (TOMEE-2885) Update Apache XML Security for Java to mitigate CVE-2019-12400

Source: CCN
Type: oss-sec Mailing List, Fri, 23 Aug 2019 16:45:10 +0100
[CVE-2019-12400] Apache Santuario potentially loads XML parsing code from an untrusted source

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190910-0003/

Source: CCN
Type: IBM Security Bulletin 6253287 (Business Process Manager Express)
XML parsing vulnerability in Apache Santuario might affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2019-12400

Source: CCN
Type: IBM Security Bulletin 6382284 (QRadar)
Apache Santuario as used in IBM QRadar SIEM is vulnerable to improper input validation (CVE-2019-12400)

Source: CCN
Type: IBM Security Bulletin 6836921 (Security Verify Governance)
IBM Security Verify Governance is vulnerable to bypassing of security restrictions due to use of Apache Santuario XML Security (CVE-2019-12400, CVE-2021-40690)

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-12400

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:* (Version >= 2.1.0 and < 2.1.4)

OR cpe:/a:apache:santuario_xml_security_for_java:*:*:*:*:*:*:*:* (Version >= 2.0.3 and <= 2.0.10)

Configuration 2:

cpe:/a:redhat:jboss_enterprise_application_platform:7.2:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*

OR cpe:/a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:business_process_manager:8.6:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.7:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.6.2:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.6.1:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.6:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.5:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.0.2:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5.0.1:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.5:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.0.1.3:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.0.1.2:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.0.1.1:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.0.1:*:*:*:express:*:*:*

OR cpe:/a:ibm:business_process_manager:8.0:*:*:*:express:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.3.3:p1:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.4.0:-:*:*:*:*:*:*

OR cpe:/a:ibm:qradar:7.4.1:p1:*:*:*:*:*:*

OR cpe:/a:ibm:security_verify_governance:10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:113598	P	xml-security-2.1.7-1.1 on GA media (Moderate)	2022-01-17
oval:com.ubuntu.disco:def:2019124000000000	V	CVE-2019-12400 on Ubuntu 19.04 (disco) - medium.	2019-08-23
oval:com.ubuntu.bionic:def:2019124000000000	V	CVE-2019-12400 on Ubuntu 18.04 LTS (bionic) - medium.	2019-08-23
oval:com.ubuntu.xenial:def:2019124000000000	V	CVE-2019-12400 on Ubuntu 16.04 LTS (xenial) - medium.	2019-08-23

BACK