You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Colm O hEigeartaigh <co...@apache.org> on 2019/08/23 15:44:20 UTC
[CVE-2019-12400] Apache Santuario potentially loads XML parsing code
from an untrusted source
The following security advisory is announced for the Apache Santuario - XML
Security for Java project, which is fixed in the recent 2.1.4 release.
[CVEID]:CVE-2019-12400
[PRODUCT]:Apache Santuario - XML Security for Java
[VERSION]:All 2.0.x releases from 2.0.3, all 2.1.x releases before 2.1.4.
[PROBLEMTYPE]:Process Control
[REFERENCES]:
http://santuario.apache.org/secadv.data/CVE-2019-12400.asc?version=1&modificationDate=1566573083000&api=v2
[DESCRIPTION]:In version 2.0.3 of Apache Santuario XML Security for Java, a
caching mechanism
was introduced to speed up creating new XML documents using a
static pool of
DocumentBuilders.
However, if some untrusted code can register a malicious
implementation with
the thread context class loader first, then this
implementation might be
cached and re-used by Apache Santuario - XML Security for
Java, leading to
potential security flaws when validating signed documents,
etc.
For more information, please see the security advisories page of Apache
Santuario: http://santuario.apache.org/secadv.html
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing
code from an untrusted source
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Yes, Scott's interpretation is correct - I'm sorry if the wording of the
CVE was not sufficiently clear. Let me see if there's a way to query the
CVSSv3 score that was assigned to the CVE...
Colm.
On Fri, Sep 6, 2019 at 3:03 PM Cantor, Scott <ca...@osu.edu> wrote:
> On 9/6/19, 5:44 AM, "RvG" <ri...@onegini.com> wrote:
>
> > I was going for a reading like this as well, but there's a little too
> much
> > ambiguity in the original wording for me to feel comfortable reading it
> like
> > that. I say that considering that the CVSSv3 score assigned to this
> > vulnerability (7.5) is rather high if the bug requires you to load
> untrusted
> > XML parsers to be effective.
>
> I think quantitiative scoring like that is ridiculous and will never be
> meaningful, nor do I know who scored it.
>
> I think it's entirely fair to expect the upstream project to be clear
> about the issue if it can be without disclosing information that would put
> people at risk, but it's not my advisory, so it's not my place to clarify
> it beyond what I've already said. If my understanding is incorrect, then
> I'm sure I'll be corrected.
>
> -- Scott
>
>
>
Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing
code from an untrusted source
Posted by "Cantor, Scott" <ca...@osu.edu>.
On 9/6/19, 5:44 AM, "RvG" <ri...@onegini.com> wrote:
> I was going for a reading like this as well, but there's a little too much
> ambiguity in the original wording for me to feel comfortable reading it like
> that. I say that considering that the CVSSv3 score assigned to this
> vulnerability (7.5) is rather high if the bug requires you to load untrusted
> XML parsers to be effective.
I think quantitiative scoring like that is ridiculous and will never be meaningful, nor do I know who scored it.
I think it's entirely fair to expect the upstream project to be clear about the issue if it can be without disclosing information that would put people at risk, but it's not my advisory, so it's not my place to clarify it beyond what I've already said. If my understanding is incorrect, then I'm sure I'll be corrected.
-- Scott
Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing
code from an untrusted source
Posted by RvG <ri...@onegini.com>.
Thanks Scott.
I was going for a reading like this as well, but there's a little too much
ambiguity in the original wording for me to feel comfortable reading it like
that. I say that considering that the CVSSv3 score assigned to this
vulnerability (7.5) is rather high if the bug requires you to load untrusted
XML parsers to be effective.
--
Sent from: http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html
Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing
code from an untrusted source
Posted by "Cantor, Scott" <ca...@osu.edu>.
My understanding is that the bug has to do with the presence of untrusted XML parsing implementations of the DocumentBuilder interface in a JVM, which implies that you don't control the code in your JVM, or you are tremdendously unwisely mixing code that "matters" with code managed by somebody else you don't trust.
-- Scott
Re: [CVE-2019-12400] Apache Santuario potentially loads XML parsing
code from an untrusted source
Posted by RvG <ri...@onegini.com>.
Hi there,
I'm looking for some clarification on this vulnerability. Based on the
description provided it's unclear under what circumstances this
vulnerability exists. For example, what is meant with "a malicious
implementation" - an implementation of what? What exactly are the implied
"potential security flaws"?
Could you clarify the precise impact for the community? At the moment I'm
not certain whether this description implies an arbitrary XML External
Entity attack in nearly all usage conditions, or whether this requires very
specific conditions to be present in the use of Santuario.
Thank you for developing this library - I hope you can help.
--
Sent from: http://apache-xml-project.6118.n7.nabble.com/Apache-XML-Security-Dev-f33675.html