Original Question: SECURITY BULLETIN: Fortify XML XXE Injection by tpalmeri
Fortify
Customer Advisory
02 February 2018
Customer Advisory
Title: Fortify XML External Entity (XXE) Injection
Summary: Opening a compromised Fortify results file may cause XML XXE injection.
Risk: Likelihood of occurrence: Medium
Severity of impact: High
Problem:
Fortify Audit Workbench (AWB) and Fortify Software Security Center (SSC) process XML documents contained in FPR result files generated by Fortify Static Code Analyzer (SCA). Insufficient XML parser restrictions may result in XML External Entity injection.
Discovery:
External
Cause:
Software Defect
Impact:
If a results file (FPR) containing a compromised XML document is opened by an unsuspecting user, XML External Entity injection may cause a denial of service by exhausting system resources or exfiltrating sensitive information.
See also: https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Solution:
Upgrade to Fortify 17.2 or later.
Customers who cannot upgrade patch for 16.1, 16.2, and 17.1
Workaround:
Declining to accept or open FPR results files from untrusted sources will mitigate this risk.
Recommendation:
(1) Upgrade to Fortify 17.20 or later. (Go to Software Support Online at https://softwaresupport.softwaregrp.com/ and log into your SSO account.)
(2) Do not accept or open FPR results files from untrusted sources.
Products Affected:
Fortify AWB
Fortify SSC
Obtaining Support:
If you have questions or comments about using this product, contact Micro Focus Fortify Customer Support using one of the options below.
To Manage Your Support Cases, Acquire Licenses, and Manage Your Account:
https://softwaresupport.softwaregrp.com
To Call Support:
1 (844) 260-7219
Date:
02 February 2018
Document ID:
MF-FORT-CA-201801
You can find additional information on this Security Bulletin at the following link:
https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03083653
Support
Documentation
Learning Services
Partner Programs