05 November 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.2056 Xerces-J XML Parser Vulnerable to Denial of Service 5 November 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Shibboleth Identity Provider Publisher: Shibboleth Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-4002 Reference: ESB-2014.1694 ESB-2014.1385 ESB-2014.0538 ASB-2013.0124 ASB-2013.0113 Original Bulletin: http://shibboleth.net/community/advisories/secadv_20141103.txt - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Shibboleth Identity Provider Security Advisory [3 November 2014] Xerces-J XML Parser Vulnerable to Denial of Service ========================================================================= The Shibboleth IdP software has historically required the use of the Xerces-J XML parser and was shipped with packaging, configuration, and documentation that required the use of the Java Endorsement mechanism to override the JDK-supplied parser and substitute the use of Xerces. In 2013, a denial of service issue was disclosed in the parser, but overlooked by most of the industry until recently. The Xerces Project corrected the bug in their source tree, but has never issued an update that addresses the problem. The Xerces issue was assigned CVE-2013-4002. Recent versions of the Shibboleth software can be configured to use the standard XML parser provided with the Oracle or OpenJDK Java software that are supported for use. An updated version of the IdP, V2.4.3, is also now available that explicitly omits the Xerces library and related files, and includes a configuration change required for the use of the built-in parser. Versions of the IdP prior to V2.4.0, which are formally unsupported, contain dependencies that make it more difficult to change the parser used. In such cases, and in fact with newer versions, we recommend an additional change that also closes the vulnerability, limiting the size of form POST data allowed by the Java container software (e.g., Tomcat). The recommended container for all versions of Shibboleth is now Jetty 9, which defaults to a POST limit of 200k and is not vulnerable to this issue. Tomcat, along with most other containers, defaults to a larger limit that should be changed to mitigate this issue and make future threats much less likely. Affected Versions ================= All versions of the Identity Provider using the Xerces-J parser, typically through the Java Endorsement mechanism. All versions prior to V2.4.3 include the Xerces software, and include configuration settings that work with it specifically. That is, if the conf/internal.xml file is unmodified, you are using Xerces and are vulnerable to this issue. Recommendations =============== All containers other than Jetty: refer to your container documentation and if possible, configure the container to reject form POST sizes larger than 100k. In the case of Tomcat (including many versions of JBoss), the maxPostSize attribute is used to adjust this limit in any <Connector> element in conf/server.xml (this setting can apply to both HTTP/HTTPS and AJP). Setting maxPostSize="100000" is a reasonable limit. Deployers running IdP V2.4.0 or greater should unendorse the Xerces/Xalan libraries from your container, and adjust your configuration as follows: Edit $IDP_HOME/conf/internal.xml. Find the bean definition containing class="org.apache.xerces.util.SecurityManager" and change the class name to "com.sun.org.apache.xerces.internal.util.SecurityManager" If your IdP startup fails with a ClassNotFound error mentioning "org.apache.xerces.util.SecurityManager", this is due to failure to edit the file as described. IdP V2.4.3 is also available and no longer includes the unneeded jars, does not install a lib/endorsed directory, and includes an internal.xml file modified as above. Upgrading to this version will not overwrite the installed copy of internal.xml, but you can compare your version to the default file found in src/installer/resources/conf-tmpl/internal.xml NOTE: if you choose to use an unsupported JDK version from a different source, you may need to experiment or do some research to determine the appropriate parser configuration settings to use in internal.xml. Note also that it is possible to introduce vulnerabilities if improper settings are applied. Credits ======= Kaspar Brand, SWITCH URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20141103.txt - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJUV81FAAoJEDeLhFQCJ3lifCIP+wQ5IyBYAovhHwjbFwjO969N pn8SB4jeYdbayIl+3UqM38uTlldzwj3HfpTImRUhF9OBMqHL130CcASjME+mUDkX Ss4bIzXgFABdXCEIqI5+hh5F15X2+2dAqVUl6pve5VrP50ulwfFEAXFln8lhPJnv yZ6Fq2nJ3a55eAA5Xbt6Jtn7fTO/hhjTGMH11e4IqXFQhoCNtcQTQasnIFkwDioB SrzqfBm2qd/4fvVbsEoo4YJh0ePobMbwSoJZ9A/b4fDVUbzLDBde/8CdrvVjasS2 W+aeNT9KnykD89rMoSj1YQF5Jox8XOSIfssAHA8gyZzSWWqOpHbY48k1h7RU/z7J rPk2laXl8zbCRNFXKxiOO9rhSZibtSFSlm0eQh7VeRtT06ehS0LG7EMserjtAgUC WZIl/zApHyJh+Oo5nD93Rqg2w2xNZJY022AXlQM3OLIRwdsFW+WqZmlUReeIB3qG a+sB0E3Nz5SVdgYdCwlgMscuNVOudP/Jz0J1lIBkoLt7aHS4gKppDoaIDCQbOlf5 X8pRkb0aRw6fyMHH5b2vlrP7D2sWGrZ5lQXMZVTQmNLPbM6sUTt2dcf5d2wzC4Lf jftKrvQkXvt10S2FTEmxEtm4hM4zd1YXRLVGmo9UiFvGWjcTBBlphZg957Yrc5U8 jTaXxJr18rt4KivjcdZk =xcbl - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVFl+aBLndAQH1ShLAQK6Sg/8DznhpzncZp4NRRvwfCSBlz3MtlEvpMJ+ TmvAGEXNvbkyJ5TLE0iTucVxsUnwLdKrjhz+X2PKnxKLaTvsSIe2GmwRxVCirxvi xozR8GAweH4KKOjBs3KyNu9RPpTzbtvNTBCgRFTzdDT/r3lIKZM9cb1Vzw3H9yH/ 96OWvZ0SZYOI7vE6Gl9qtoJrtG0fTwOR6RHsaQ2DukxFnUSsCWcV+JD5LN1aaTjX gt64L7DzYzxuMndxifOg2aD5O9FIdRIV0d5Y9/dHPXJg0nSsWPpgTaRSpQRbPICH xKe8poYsRUgoo4YPuk5zF+6CVSdUsqcBGCFNmhwtvjKb5fd0B7tjg1Y6Bnfyx4CQ zOs6UKEv0AoFtC5Dg+Wss1wcgQom/zlmYdlfrSWWNi8fYrbE2UezdyVGbyVMM8FW Ftxg/PbHOHT1i0+YI2KJbeYMybGk/ne3Wq0VU19zZinYGXNCHP0P8S03ADWIEHx7 raaTUivOQ48eWTB2pS9S0RBaY9C+rIHTKJbx+FIxALgpdJJWVw+nqfQJ0BV3wASY sxfunWtNbF5VXRCqQDeuHxPadYBoTKHg0FZN1iGzXD7QRwdyILBaZ4VYRB7SZmZN AVEEnph7jdmBKyt+5MslRQ+sqwtDSS8/ONFrsAchqYWBguszFpMCv8oV0TvfDNiH bs1X5jsoxwU= =hcta -----END PGP SIGNATURE-----