[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in Apache Ignite

[CVE-2016-6805] Arbitrary File Read due to eXternal Xml Entity attack in =
Apache Ignite

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Ignite 1.0.0-RC3 to 1.8

Description:
Apache Ignite uses an update notifier component to update the users =
about new project releases that include additional functionality, bug =
fixes and performance improvements. To do that the component =
communicates to an external PHP server (http://ignite.run) where it =
needs to send some system properties like Apache Ignite or Java version. =
This feature is enabled by default and used to send sensitive data over =
HTTP by mistake, such as installation folders or environment variables =
stored in Java system properties. The second issue is because TLS is not =
used between the application and the PHP server, a Man-in-the-middle =
attack is possible and a malicious actor could alter the response coming =
from the ignite.run server. This response is parsed by the Apache ignite =
component as XML, and a XXE attack can be triggered.

Both issues mentioned above were fixed as a part of Apache Ignite 1.9 =
release. The relevant commits with the changes:

Mitigation:
Users must upgrade to Apache Ignite 1.9 or later versions or disable the =
update notifier.

Credit:
Pierre Ernst, Salesforce