Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.2056
Xerces-J XML Parser Vulnerable to Denial of Service
5 November 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Shibboleth Identity Provider
Publisher: Shibboleth
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-4002
Reference: ESB-2014.1694
ESB-2014.1385
ESB-2014.0538
ASB-2013.0124
ASB-2013.0113
Original Bulletin:
http://shibboleth.net/community/advisories/secadv_20141103.txt
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Shibboleth Identity Provider Security Advisory [3 November 2014]
Xerces-J XML Parser Vulnerable to Denial of Service
=========================================================================
The Shibboleth IdP software has historically required the use of the
Xerces-J XML parser and was shipped with packaging, configuration, and
documentation that required the use of the Java Endorsement mechanism
to override the JDK-supplied parser and substitute the use of Xerces.
In 2013, a denial of service issue was disclosed in the parser, but
overlooked by most of the industry until recently. The Xerces Project
corrected the bug in their source tree, but has never issued an update
that addresses the problem.
The Xerces issue was assigned CVE-2013-4002.
Recent versions of the Shibboleth software can be configured to use
the standard XML parser provided with the Oracle or OpenJDK Java
software that are supported for use. An updated version of the IdP,
V2.4.3, is also now available that explicitly omits the Xerces library
and related files, and includes a configuration change required for
the use of the built-in parser.
Versions of the IdP prior to V2.4.0, which are formally unsupported,
contain dependencies that make it more difficult to change the parser
used. In such cases, and in fact with newer versions, we recommend
an additional change that also closes the vulnerability, limiting the
size of form POST data allowed by the Java container software
(e.g., Tomcat).
The recommended container for all versions of Shibboleth is now Jetty 9,
which defaults to a POST limit of 200k and is not vulnerable to this issue.
Tomcat, along with most other containers, defaults to a larger limit that
should be changed to mitigate this issue and make future threats much less
likely.
Affected Versions
=================
All versions of the Identity Provider using the Xerces-J parser,
typically through the Java Endorsement mechanism. All versions prior
to V2.4.3 include the Xerces software, and include configuration
settings that work with it specifically.
That is, if the conf/internal.xml file is unmodified, you are using
Xerces and are vulnerable to this issue.
Recommendations
===============
All containers other than Jetty: refer to your container documentation
and if possible, configure the container to reject form POST sizes
larger than 100k.
In the case of Tomcat (including many versions of JBoss), the maxPostSize
attribute is used to adjust this limit in any <Connector> element in
conf/server.xml (this setting can apply to both HTTP/HTTPS and AJP).
Setting maxPostSize="100000" is a reasonable limit.
Deployers running IdP V2.4.0 or greater should unendorse the Xerces/Xalan
libraries from your container, and adjust your configuration as follows:
Edit $IDP_HOME/conf/internal.xml. Find the bean definition containing
class="org.apache.xerces.util.SecurityManager" and change the class
name to "com.sun.org.apache.xerces.internal.util.SecurityManager"
If your IdP startup fails with a ClassNotFound error mentioning
"org.apache.xerces.util.SecurityManager", this is due to failure to
edit the file as described.
IdP V2.4.3 is also available and no longer includes the unneeded jars,
does not install a lib/endorsed directory, and includes an internal.xml
file modified as above. Upgrading to this version will not overwrite the
installed copy of internal.xml, but you can compare your version to the
default file found in src/installer/resources/conf-tmpl/internal.xml
NOTE: if you choose to use an unsupported JDK version from a different
source, you may need to experiment or do some research to determine
the appropriate parser configuration settings to use in internal.xml.
Note also that it is possible to introduce vulnerabilities if improper
settings are applied.
Credits
=======
Kaspar Brand, SWITCH
URL for this Security Advisory
http://shibboleth.net/community/advisories/secadv_20141103.txt
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJUV81FAAoJEDeLhFQCJ3lifCIP+wQ5IyBYAovhHwjbFwjO969N
pn8SB4jeYdbayIl+3UqM38uTlldzwj3HfpTImRUhF9OBMqHL130CcASjME+mUDkX
Ss4bIzXgFABdXCEIqI5+hh5F15X2+2dAqVUl6pve5VrP50ulwfFEAXFln8lhPJnv
yZ6Fq2nJ3a55eAA5Xbt6Jtn7fTO/hhjTGMH11e4IqXFQhoCNtcQTQasnIFkwDioB
SrzqfBm2qd/4fvVbsEoo4YJh0ePobMbwSoJZ9A/b4fDVUbzLDBde/8CdrvVjasS2
W+aeNT9KnykD89rMoSj1YQF5Jox8XOSIfssAHA8gyZzSWWqOpHbY48k1h7RU/z7J
rPk2laXl8zbCRNFXKxiOO9rhSZibtSFSlm0eQh7VeRtT06ehS0LG7EMserjtAgUC
WZIl/zApHyJh+Oo5nD93Rqg2w2xNZJY022AXlQM3OLIRwdsFW+WqZmlUReeIB3qG
a+sB0E3Nz5SVdgYdCwlgMscuNVOudP/Jz0J1lIBkoLt7aHS4gKppDoaIDCQbOlf5
X8pRkb0aRw6fyMHH5b2vlrP7D2sWGrZ5lQXMZVTQmNLPbM6sUTt2dcf5d2wzC4Lf
jftKrvQkXvt10S2FTEmxEtm4hM4zd1YXRLVGmo9UiFvGWjcTBBlphZg957Yrc5U8
jTaXxJr18rt4KivjcdZk
=xcbl
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVFl+aBLndAQH1ShLAQK6Sg/8DznhpzncZp4NRRvwfCSBlz3MtlEvpMJ+
TmvAGEXNvbkyJ5TLE0iTucVxsUnwLdKrjhz+X2PKnxKLaTvsSIe2GmwRxVCirxvi
xozR8GAweH4KKOjBs3KyNu9RPpTzbtvNTBCgRFTzdDT/r3lIKZM9cb1Vzw3H9yH/
96OWvZ0SZYOI7vE6Gl9qtoJrtG0fTwOR6RHsaQ2DukxFnUSsCWcV+JD5LN1aaTjX
gt64L7DzYzxuMndxifOg2aD5O9FIdRIV0d5Y9/dHPXJg0nSsWPpgTaRSpQRbPICH
xKe8poYsRUgoo4YPuk5zF+6CVSdUsqcBGCFNmhwtvjKb5fd0B7tjg1Y6Bnfyx4CQ
zOs6UKEv0AoFtC5Dg+Wss1wcgQom/zlmYdlfrSWWNi8fYrbE2UezdyVGbyVMM8FW
Ftxg/PbHOHT1i0+YI2KJbeYMybGk/ne3Wq0VU19zZinYGXNCHP0P8S03ADWIEHx7
raaTUivOQ48eWTB2pS9S0RBaY9C+rIHTKJbx+FIxALgpdJJWVw+nqfQJ0BV3wASY
sxfunWtNbF5VXRCqQDeuHxPadYBoTKHg0FZN1iGzXD7QRwdyILBaZ4VYRB7SZmZN
AVEEnph7jdmBKyt+5MslRQ+sqwtDSS8/ONFrsAchqYWBguszFpMCv8oV0TvfDNiH
bs1X5jsoxwU=
=hcta
-----END PGP SIGNATURE-----