XXE attack in JBoss BRMS and Red Hat Process Automation Manager (formerly JBoss BPM Suite)

#VU312 XXE attack in JBoss BRMS and Red Hat Process Automation Manager (formerly JBoss BPM Suite)

Published: 2016-08-15 | Updated: 2018-11-22

Vulnerability identifier: #VU312

Vulnerability risk: High

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-3192

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
JBoss BRMS
Web applications / Remote management & hosting panels
Red Hat Process Automation Manager (formerly JBoss BPM Suite)
Web applications / Remote management & hosting panels

Vendor: Red Hat Inc.

Description
The vulnerability allows a remote attacker to conduct XXe-attack on the target system.

The vulnerability exists in JBoss BPM Suite and BRMS. A remote attacker can cause denial of service conditions by submitting a specially crafted XML file that would cause out-of-memory errors when parsed.

Successful exploitation of this vulnerability may result in denial of service conditions on the target system.

Mitigation
Update your version at:
https://rhn.redhat.com/errata/RHSA-2016-1592.html
https://rhn.redhat.com/errata/RHSA-2016-1593.html

Vulnerable software versions

JBoss BRMS: 6.3.2

Red Hat Process Automation Manager (formerly JBoss BPM Suite): 6.3.2

External links
http://rhn.redhat.com/errata/RHSA-2016-1593.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM MobileFirst Platform Foundation

XXE attack in JBoss BRMS