The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of MuleSoft Mule ESB

computer vulnerability announce 20847

Mule: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Mule, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Mule ESB.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 12/10/2016.
Identifiers: VIGILANCE-VUL-20847.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Mule parser allows external entities.

An attacker can therefore transmit malicious XML data to Mule, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 19757

xmlsec: vulnerability

Synthesis of the vulnerability

A vulnerability of xmlsec was announced.
Impacted products: Mule ESB.
Severity: 2/4.
Consequences: unknown consequence, administrator access/rights, privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, data flow, denial of service on server, denial of service on service, denial of service on client, disguisement.
Provenance: document.
Creation date: 01/06/2016.
Identifiers: VIGILANCE-VUL-19757.

Description of the vulnerability

A vulnerability of xmlsec was announced.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Impacted products: CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Cisco Unity ~ precise, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, Domino, Notes, IRAD, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, ePO, Mule ESB, Snap Creator Framework, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/11/2015.
Identifiers: 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2015-2613 CVE-2015-7940

Bouncy Castle, Oracle Java: disclosure of elliptic curve private keys

Synthesis of the vulnerability

An attacker can use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Impacted products: Bouncy Castle JCE, DCFM Enterprise, FabricOS, Brocade Network Advisor, Brocade vTM, Debian, Fedora, IRAD, WebSphere MQ, Juniper SBR, Mule ESB, SnapManager, Java OpenJDK, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Server, Java Oracle, JavaFX, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Ubuntu.
Severity: 3/4.
Consequences: data reading.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/10/2015.
Identifiers: 1968485, 1972455, 9010041, 9010044, BSA-2016-002, CERTFR-2019-AVI-325, cpuapr2018, cpujan2017, cpujan2018, cpujan2019, cpujul2015, cpujul2017, cpujul2018, cpuoct2017, CVE-2015-2613, CVE-2015-7940, DSA-3417-1, FEDORA-2015-7d95466eda, JSA10939, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1911-1, RHSA-2016:2035-01, RHSA-2016:2036-01, USN-3727-1, VIGILANCE-VUL-18168.

Description of the vulnerability

The Bouncy Castle and Oracle Java products implement algorithms based on elliptic curves.

However, if the client forces the server to compute a common secret based on points located outside the chosen curve, he can progressively guess the full server key.

An attacker can therefore use a vulnerability in the elliptic curve implementation of Bouncy Castle and Oracle Java, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-5262

Apache HttpComponents HttpClient: denial of service via Timeout

Synthesis of the vulnerability

An attacker owning a malicious server can stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Impacted products: Apache HttpClient, Fedora, QRadar SIEM, Mule ESB, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service.
Provenance: internet server.
Creation date: 02/10/2015.
Identifiers: 1259892, 2015815, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2015-5262, FEDORA-2015-15588, FEDORA-2015-15589, USN-2769-1, VIGILANCE-VUL-18023.

Description of the vulnerability

The Apache HttpComponents HttpClient product implements a web client

However, there is no timeout during the connection state to a server.

An attacker owning a malicious server can therefore stop responding, to block clients using Apache HttpComponents HttpClient, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-3603

OpenSAML Java: incomplete certificate validation

Synthesis of the vulnerability

An attacker can use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Impacted products: Fedora, Mule ESB, OpenSAML-J.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 07/08/2015.
Identifiers: CVE-2014-3603, FEDORA-2015-10175, FEDORA-2015-10235, VIGILANCE-VUL-17608.

Description of the vulnerability

The OpenSAML Java library can manage HTTP connections over SSL, using Apache HttpClient 3 (VIGILANCE-VUL-12182).

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, HttpClient does not check that the names included in the certificates match the one requested at HTTP level. So, any valid certificate is accepted.

An attacker can therefore use any valid certificate on a malicious server, and then invite an OpenSAML Java to connect there, in order to spy communications even if encryption is used.
Full Vigil@nce bulletin... (Free trial)

vulnerability note 16684

Mule ESB: Man-in-the-middle of HTTP Connector

Synthesis of the vulnerability

An attacker can act as a Man-in-the-middle on the HTTP Connector of Mule ESB, in order to capture or alter data.
Impacted products: Mule ESB.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: intranet server.
Creation date: 21/04/2015.
Identifiers: VIGILANCE-VUL-16684.

Description of the vulnerability

The Mule ESB product uses the HTTP Connector to connect to web sites.

However, the HTTP Connector does not check the X.509 certificate.

An attacker can therefore act as a Man-in-the-middle on the HTTP Connector of Mule ESB, in order to capture or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability 16270

OpenSAML Java: invalid trust by MetadataPKIX

Synthesis of the vulnerability

An attacker with a certificate provided by one of the Trust Anchors indicated in shibmd:KeyAuthority can impersonate the identity of an entity, in order to escalate his privileges on an application using OpenSAML Java.
Impacted products: Mule ESB, OpenSAML-J.
Severity: 3/4.
Consequences: user access/rights.
Provenance: user account.
Creation date: 26/02/2015.
Identifiers: VIGILANCE-VUL-16270.

Description of the vulnerability

The OpenSAML Java product uses the MetadataPKIX trust engine.

However, MetadataPKIX accepts an X.509 credential when there is no Trusted Name available for an entityID. This case occurs when an entity has a RoleDescriptor KeyDescriptor containing no KeyName element. Editor's announce indicates the list of vulnerable configurations.

An attacker with a certificate provided by one of the Trust Anchors indicated in shibmd:KeyAuthority can therefore impersonate the identity of an entity, in order to escalate his privileges on an application using OpenSAML Java.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce 15527

Mulesoft Mule ESB: code execution

Synthesis of the vulnerability

An attacker can inject Java code into the management console of Mulesoft Mule ESB, in order to, for instance, raise his privileges.
Impacted products: Mule ESB.
Severity: 3/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: intranet client.
Creation date: 23/10/2014.
Revision date: 27/10/2014.
Identifiers: VIGILANCE-VUL-15527.

Description of the vulnerability

The Mulesoft ESB product include a web management console.

This service is used as an RPC server. However, it does not rightly checks the arguments of the call. So, an authenticated attacker can call unauthorized procedures. The attack example suggests that the service deserializes and run the HTTP body without sufficient restrictions about the request content.

An attacker can therefore inject Java code into Mulesoft Mule ESB, in order to, for instance, raise his privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2014-0107

Xalan-Java: vulnerabilities of FEATURE_SECURE_PROCESSING

Synthesis of the vulnerability

An attacker can use several vulnerabilities of the FEATURE_SECURE_PROCESSING implementation in Xalan-Java.
Impacted products: Xalan-Java, Debian, Fedora, SiteScope, Mule ESB, openSUSE, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 25/03/2014.
Identifiers: c05324755, CERTFR-2014-AVI-252, CERTFR-2014-AVI-365, CVE-2014-0107, DSA-2886-1, FEDORA-2014-4426, FEDORA-2014-4443, HPSBGN03669, oCERT-2014-002, openSUSE-SU-2014:0861-1, openSUSE-SU-2014:0948-1, RHSA-2014:0348-01, RHSA-2014:0453-01, RHSA-2014:0454-01, RHSA-2014:0590-01, RHSA-2014:0591-01, RHSA-2014:0818-01, RHSA-2014:0819-01, RHSA-2014:1007-01, RHSA-2014:1059-01, RHSA-2014:1290-01, RHSA-2014:1291-01, RHSA-2014:1351-01, RHSA-2014:1369-01, RHSA-2014:1995-01, RHSA-2015:1009, SUSE-SU-2014:0870-1, USN-2218-1, VIGILANCE-VUL-14468, XALANJ-2435.

Description of the vulnerability

The FEATURE_SECURE_PROCESSING (http://javax.xml.XMLConstants/feature/secure-processing) constant requires Xalan-Java to analyze XML files in a secure way, in order for example to block denial of service attacks. However, it is impacted by three vulnerabilities.

An attacker can access to XSLT 1.0 system-property(), in order to obtain sensitive information. [severity:2/4]

The xalan:content-handler and xalan:entities properties can be used to load a class or an external resource. [severity:2/4; XALANJ-2435]

If BSF (Bean Scripting Framework) is in the classpath, an attacker can open a JAR, in order to execute code. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about MuleSoft Mule ESB: