DTD-defined entities can be added to XML without breaking signature

Description

An outside tester identified a specific vulnerability using a DTD internal subset that can be used in cases where the Xerces parser is too old to allow the SP to turn off DTD support. This is primarily Red Hat 7 and OpenSUSE 13 among the platforms we package.

Environment

None

Activity

Scott Cantor January 12, 2018 at 3:44 PM

Patch released and advisory posted.

Scott Cantor January 11, 2018 at 3:38 PM

Schema Validation also appears to be a defense due to some Xerces limitations, but that's more obscure and isn't generally used with SAML messages.

Scott Cantor January 11, 2018 at 3:33 PM

In point of fact, the impact of this bug is limited to platforms with a rotted parser. Anything new enough that supports the XERCES_DISABLE_DTD variable is protected by default because I defaulted to setting that variable from within the code in 2.6.0.

So Windows for example cannot be attacked with this exploit, nor can OS X.

Red Hat 7 is probably the most common supported platform that can.

Scott Cantor January 10, 2018 at 4:08 PM

Preliminary assessment is that the best short term fix ahead of getting Xerces 3.2 into the build is to block this in the Unmarshaller for now and ship an xmltooling patch.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Created January 10, 2018 at 2:35 PM
Updated June 24, 2021 at 1:25 PM
Resolved January 12, 2018 at 2:29 PM