CVE-2019-5427 XML configuration DoS vulnerability in c3p0

Issue date: 01-07-2019
Affects versions: 13.1, 13.0, 12.6, 11.2

Issue ID: SECURITY-110

Affected Product Version(s)
11.2.13, 12.6.3, 13.0.2, 13.1.1 (and previous patch releases)

Severity

High

Description

CVE-2019-5427

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

This vulnerability is classified with severity high. Although default usage of this library within the Bloomreach Experience Manager product is not vulnerable, project specific usages of this third-party code within a customer project may be vulnerable.

As the affected third-party library is not used in Bloomreach Experience Manager the dependency has been removed from the product.

Instructions

Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Get Started

Build a Website

Relevance Trail

Feed an AngularJS App

Deploy in BloomReach Cloud

Use Blue-Green Deployment in BloomReach Cloud

Understand

Implement

Extend

Integrate

Run

Upgrade

Develop

Use

Bloomreach Documentation version

CVE-2019-5427 XML configuration DoS vulnerability in c3p0