Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spring Integration Issue With Latest XXE Patch and WebSphere 9.0 [SWS-1090] #1156

Closed
gregturn opened this issue Sep 11, 2020 · 4 comments
Closed

Spring Integration Issue With Latest XXE Patch and WebSphere 9.0 [SWS-1090] #1156

gregturn opened this issue Sep 11, 2020 · 4 comments
Assignees
@gregturn
Labels
type: bug
Milestone
3.0.10

Comments

@gregturn
Copy link
Contributor

Will Weyant opened SWS-1090 and commented

 When we deployed our application with Spring Integration 5.3.2.RELEASE we discovered that our application failed to deploy to WebSphere 9.0 via script or the console. Deploying via Eclipse worked fine. In the WebSphere SystemOut.log, we found the following error message: "org.springframework.xml.validation.XmlValidationException: Could not create Schema: Failed to load external schema document "wsjar:[file:|file:///]...", because "wsjar" access is not allowed". This occurred when loading XSD files contained in another jar from our interfaces war. The affected versions are the patched versions and later found here: .[https://github.com/advisories/GHSA-wr5r-m8pc-85j9].

We traced the issue to the org.springframework.xml.validation.SchemaFactoryUtils. class called via Jaxp15ValidatorFactory.createValidator(...) and SchemaLoaderUtils.loadSchema(...). The SchemaFactoryUtils.newInstance(...) method has a hard coded list of protocols (see attached image of code). This list does not include WebSphere's proprietary wsjar protocol.

 

 

!https://user-images.githubusercontent.com/33791605/92931312-45bf2e80-f411-11ea-9d0e-bfe2a7f0a51a.jpg!
 
To resolve our issue, we created a custom XML validator, which adds wsjar to the accepted protocols and applied to our int-xml:validating-filter in our integration flow configuration.|

Affects: 3.0.6, 3.0.7, 3.0.8, 3.0.9

Attachments:
@gregturn
Copy link
Contributor Author

Greg Turnquist commented

Can you take 3.0.10.BUILD-SNAPSHOT for a spin?

@gregturn
Copy link
Contributor Author

Will Weyant commented

I hope to test it out by the end of the week. We are in the middle of a major upgrade (a lot of fun so far :)).

@gregturn
Copy link
Contributor Author

Greg Turnquist commented

To go along with release plans on our end, this has been released. If you have more issues, open another issue.

@gregturn
Copy link
Contributor Author

Will Weyant commented

I was able to test the 3.0.10.RELEASE of spring-xml and it works fine in WebSphere. Thanks for the quick fix!

@gregturn gregturn added this to the 3.0.10 milestone Sep 22, 2020
@gregturn gregturn self-assigned this Sep 22, 2020
@willweyant willweyant mentioned this issue Nov 23, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gregturn gregturn

Labels
type: bug
Projects
None yet
Milestone
3.0.10
Development

No branches or pull requests
1 participant
@gregturn