Impact
The XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Especially responses to SSDP requests can be malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted:
AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation.
Patches
The vulnerabilities have been fixed by a more strict configuration of the used XML parser.
The following openHAB patch releases contain the fix: openHAB 2.5.12 and openHAB 3.0.1.
References
For more information
If you have any questions or comments about this advisory, please visit this topic in our community forum.
Impact
The XML external entity (XXE) attack allows attackers in the same network as the openHAB instance to retrieve internal information like the content of files from the file system. Especially responses to SSDP requests can be malicious. All add-ons that use SAX or JAXB parsing of externally received XML are potentially subject to this kind of attack. In openHAB, the following add-ons are potentially impacted:
AvmFritz, BoseSoundtouch, DenonMarantz, DLinkSmarthome, Enigma2, FmiWeather, FSInternetRadio, Gce, Homematic, HPPrinter, IHC, Insteon, Onkyo, Roku, SamsungTV, Sonos, Roku, Tellstick, TR064, UPnPControl, Vitotronic, Wemo, YamahaReceiver and XPath Tranformation.
Patches
The vulnerabilities have been fixed by a more strict configuration of the used XML parser.
The following openHAB patch releases contain the fix: openHAB 2.5.12 and openHAB 3.0.1.
References
For more information
If you have any questions or comments about this advisory, please visit this topic in our community forum.