Apache SIS XML External Entity Vulnerability Allowing Local File Disclosure

A vulnerability allowing improper restriction of XML external entity references has been identified in Apache SIS versions 0.4 through 1.5. This vulnerability can be exploited by crafting XML files that, when parsed by Apache SIS, disclose the contents of local files on the server. The issue affects several SIS services, including the reading of GeoTIFF files with the GEO_METADATA tag defined by the Defense Geospatial Information Working Group, parsing of ISO 19115 metadata in XML format, processing of Coordinate Reference Systems defined in GML format, and interpretation of files in GPS Exchange Format (GPX).

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of local file contents on the server running Apache SIS.

Remediation

Users are advised to upgrade to Apache SIS version 1.6, which addresses this vulnerability. Alternatively, the issue can be temporarily mitigated by launching Java with the 'javax.xml.accessExternalDTD' system property set to a comma-separated list of authorized protocols.