SECURITY BULLETIN: Fortify XML XXE Injection

0 Likes
5 months ago

Original Question: SECURITY BULLETIN: Fortify XML XXE Injection by tpalmeri

 

­­­­­

Fortify

 

Customer Advisory

 

02 February 2018

 
Customer Advisory

 

Title:                         Fortify XML External Entity (XXE) Injection

Summary:                 Opening a compromised Fortify results file may cause XML XXE injection.

Risk:                          Likelihood of occurrence:  Medium

Severity of impact:  High

Problem:

Fortify Audit Workbench (AWB) and Fortify Software Security Center (SSC) process XML documents contained in FPR result files generated by Fortify Static Code Analyzer (SCA).  Insufficient XML parser restrictions may result in XML External Entity injection.

Discovery:

External

Cause:

Software Defect

Impact:

If a results file (FPR) containing a compromised XML document is opened by an unsuspecting user, XML External Entity injection may cause a denial of service by exhausting system resources or exfiltrating sensitive information.

 

See also: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

Solution:

Upgrade to Fortify 17.2 or later.

 

Customers who cannot upgrade patch for 16.1, 16.2, and 17.1

Workaround:

Declining to accept or open FPR results files from untrusted sources will mitigate this risk.

Recommendation:

(1) Upgrade to Fortify 17.20 or later.  (Go to Software Support Online at https://softwaresupport.softwaregrp.com/ and log into your SSO account.)

(2) Do not accept or open FPR results files from untrusted sources.

Products Affected:

Fortify AWB

Fortify SSC

Obtaining Support:

If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the options below.

 

To Manage Your Support Cases, Acquire Licenses, and Manage Your Account:

     https://softwaresupport.softwaregrp.com

To Call Support:

     1 (844) 260-7219

Date:

02 February 2018

Document ID:

MF-FORT-CA-201801

You can find additional information on this Security Bulletin at the following link:

https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653

 

MF-FORT-CA-201801.pdf
Comment List
Anonymous
Related Discussions
Recommended