Community
Participate
Working Groups
An Memory Analyzer reports are defined via an XML file. https://help.eclipse.org/latest/index.jsp?topic=%2Forg.eclipse.mat.ui.help%2Fdoc%2Forg_eclipse_mat_report_report.html We aleady have a schema, so should validate the XML against the schema and give warnings messages to the user if the report definition is not quite correct. Also, we should be aware of XML external entity processing vulnerabilities. https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing https://cwe.mitre.org/data/definitions/611.html In general the reports don't need access an external entity, so we should disable this when the reports are executed.
This is similar to https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/8 We use the SAX parser for reading report definitions and so a malicious external report definition could do something unexpected if run by a user. I've confirmed that using add <!DOCTYPE root_element SYSTEM file:///c:/mysecret.txt> to the beginning of a report However running an untrusted report could already do a denial of service, so I wonder how big an issue this is? I've got a fix for the parsing, and I have added some extra code to validate the report XML against the schema. https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415 https://git.eclipse.org/c/mat/org.eclipse.mat.git/commit/?id=979835dab651c35be5b51155303c33e728ce2d11 Existing code should have stopped this problem but didn’t. saxXmlReader.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/parsers/SAXParser.html#setProperty(java.lang.String,java.lang.Object) https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD "When FEATURE_SECURE_PROCESSING is enabled, it is recommended that implementations restrict external connections by default, though this may cause problems for applications that process XML/XSD/XSL with external references." The workaround for MAT 1.14.0 from https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_DTD and https://docs.oracle.com/en/java/javase/17/docs/api/java.xml/javax/xml/XMLConstants.html#ACCESS_EXTERNAL_SCHEMA is to run MAT with the following system properties set in MemoryAnalyzer.ini -Djavax.xml.accessExternalSchema= -Djavax.xml.accessExternalDTD=
Possible plan: 1. Apply patch https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415. Done. 2. Other people test the patch – do we need more? 3. Copy build to 2023-12/M3 prepare sim-rel 4. Update our SimRel contribution (Krum) – by Monday / Tuesday? ready for M3 SimRel. 5. Open bug (mark security, private). Done - this bug. 6. Discuss whether we need a CVE. 7. Write CVE (if needed). 8. Publish CVE (if needed). 9. At some point publish the bug – with the workaround for don’t run untrusted XML reports – read them first? 10. Announce on MAT mailing list. 11. Update new and noteworthy - need to get into 2023-12/RC1. 12. MAT 1.15.0 when released on December 6 2023 should have the fix.
See https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169
> See https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/169 I can't see it, even after I log in.
We need to add all people one by one to that ticket. Please come with a list and I will do that.
From the plan: 1. Apply patch https://git.eclipse.org/r/c/mat/org.eclipse.mat/+/205415. Done. 2. Other people test the patch – do we need more? 3. Copy build to 2023-12/M3 prepare sim-rel. Done 4. Update our SimRel contribution (Krum) – by Monday / Tuesday? ready for M3 SimRel. Done. 5. Open bug (mark security, private). Done - this bug. 6. Discuss whether we need a CVE. Done. 7. Write CVE (if needed). CVE number assigned. All information present for CVE. Done. 8. Publish CVE (if needed). 9. At some point publish the bug – with the workaround for don’t run untrusted XML reports – read them first / use system properties. 10. Announce on MAT mailing list. 11. Update new and noteworthy - need to get into 2023-12/RC1. - will be web-only version. 12. MAT 1.15.0 when released on December 6 2023 should have the fix.
The CVE has been published, I'm making this issue public too.
The fixes are in Eclipse Memory Analyzer 1.15.0