====================================================================


                             CERT-Renater

                 Note d'Information No. 2018/VULN009
_____________________________________________________________________

DATE                : 16/01/2019

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Roller versions 5 prior to
                                           5.2.2.

=====================================================================
http://mail-archives.apache.org/mod_mbox/roller-user/201901.mbox/%3cCAF1aazApsagijv4b-Fu=zvL9a6vu4nefc_RZF8cx0NdCP_OUjA@mail.gmail.com%3e
_____________________________________________________________________

Severity: Important

Vendor:
   The Apache Software Foundation

Versions Affected:
   Roller 5.2.1
   Roller 5.2
   The unsupported pre-Roller 5.1 versions may also be affected.


Description:

Roller relies on Java SAX Parser to implement its XML-RPC interface and
by default that parser supports external entities in XML DOCTYPE, which
opens Roller up to SSRF / File Enumeration vulnerability. Note that this
vulnerability exists even if Roller XML-RPC interface is disable via the
Roller web admin UI.


Mitigation:

   There are a couple of ways you can fix this vulnerability:

   1) Upgrade to the latest version of Roller, which is now 5.2.2

   2) Or, edit the Roller web.xml file and comment out the XML-RPC
       Servlet mapping as shown below:

<!--
<servlet-mapping>
    <servlet-name>XmlRpcServlet</servlet-name>
    <url-pattern>/roller-services/xmlrpc</url-pattern>
</servlet-mapping>
-->


Credit:

   This issue was discovered by Arseniy Sharoglazov.

=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================