-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
Xerces-J XML Parser Vulnerable to Denial of Service
5 November 2014
AusCERT Security Bulletin Summary
Product: Shibboleth Identity Provider
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
CVE Names: CVE-2013-4002
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Shibboleth Identity Provider Security Advisory [3 November 2014]
Xerces-J XML Parser Vulnerable to Denial of Service
The Shibboleth IdP software has historically required the use of the
Xerces-J XML parser and was shipped with packaging, configuration, and
documentation that required the use of the Java Endorsement mechanism
to override the JDK-supplied parser and substitute the use of Xerces.
In 2013, a denial of service issue was disclosed in the parser, but
overlooked by most of the industry until recently. The Xerces Project
corrected the bug in their source tree, but has never issued an update
that addresses the problem.
The Xerces issue was assigned CVE-2013-4002.
Recent versions of the Shibboleth software can be configured to use
the standard XML parser provided with the Oracle or OpenJDK Java
software that are supported for use. An updated version of the IdP,
V2.4.3, is also now available that explicitly omits the Xerces library
and related files, and includes a configuration change required for
the use of the built-in parser.
Versions of the IdP prior to V2.4.0, which are formally unsupported,
contain dependencies that make it more difficult to change the parser
used. In such cases, and in fact with newer versions, we recommend
an additional change that also closes the vulnerability, limiting the
size of form POST data allowed by the Java container software
The recommended container for all versions of Shibboleth is now Jetty 9,
which defaults to a POST limit of 200k and is not vulnerable to this issue.
Tomcat, along with most other containers, defaults to a larger limit that
should be changed to mitigate this issue and make future threats much less
All versions of the Identity Provider using the Xerces-J parser,
typically through the Java Endorsement mechanism. All versions prior
to V2.4.3 include the Xerces software, and include configuration
settings that work with it specifically.
That is, if the conf/internal.xml file is unmodified, you are using
Xerces and are vulnerable to this issue.
All containers other than Jetty: refer to your container documentation
and if possible, configure the container to reject form POST sizes
larger than 100k.
In the case of Tomcat (including many versions of JBoss), the maxPostSize
attribute is used to adjust this limit in any <Connector> element in
conf/server.xml (this setting can apply to both HTTP/HTTPS and AJP).
Setting maxPostSize="100000" is a reasonable limit.
Deployers running IdP V2.4.0 or greater should unendorse the Xerces/Xalan
libraries from your container, and adjust your configuration as follows:
Edit $IDP_HOME/conf/internal.xml. Find the bean definition containing
class="org.apache.xerces.util.SecurityManager" and change the class
name to "com.sun.org.apache.xerces.internal.util.SecurityManager"
If your IdP startup fails with a ClassNotFound error mentioning
"org.apache.xerces.util.SecurityManager", this is due to failure to
edit the file as described.
IdP V2.4.3 is also available and no longer includes the unneeded jars,
does not install a lib/endorsed directory, and includes an internal.xml
file modified as above. Upgrading to this version will not overwrite the
installed copy of internal.xml, but you can compare your version to the
default file found in src/installer/resources/conf-tmpl/internal.xml
NOTE: if you choose to use an unsupported JDK version from a different
source, you may need to experiment or do some research to determine
the appropriate parser configuration settings to use in internal.xml.
Note also that it is possible to introduce vulnerabilities if improper
settings are applied.
Kaspar Brand, SWITCH
URL for this Security Advisory
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----