This issue has been assigned CVE-2013-3925 by Mitre Corporation.
Previously reported issue CVE-2012-2926 (August 2012, CVSS score 6.4) was patched by introducing a new XFire servlet component into Crowd. The new component disables external entity resolution during XML parsing.
The new component has been configured to work for URLs with pattern /crowd/services/ but does not intercept calls to /crowd/services/2/ (etc).
The work for this issue has been tracked in CWD-3366 - Parsing of external XML entities can be exploited to retrieve files or make HTTP requests on the target network Resolved
Applying the Patch
The fix requires replacing the xfire-servlet.xml file in the crowd-server jar. The patched version of the file can be used with Crowd 2.3.7, 2.4.1 and above, or any 2.5 or 2.6 release. See xfire-servlet.xml attached to this issue.
For example, for Crowd 2.4.2:
Basically we need to replace the current xfire-servlet.xml file from crowd-server-2.4.2.jar, and replace it with this file: xfire-servlet.xml.
How to do it:
- Download the xfire-servlet.xml to this location
Replace the old file for the new one. One way to do it without having to open the jar, replacing the file and recreating the jar, is performing the command below:
Now restart your Crowd.
For older versions of Crowd:
For older versions of Crowd you can manually edit the relevant jar file to remove the urlMap entries.
For Crowd 2.1.2 or 2.2.9, unzip the file crowd-server-*.*.*.jar file, eg:
Manually edit the xfire-servlet.xml to remove all urlMap entries other than the first key="/*" entry:
Save the file and recreate the jar, eg:
- Restart Crowd.