===================================================================== CERT-Renater Note d'Information No. 2014/VULN246 _____________________________________________________________________ DATE : 04/11/2014 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Shibboleth IdP using the Xerces-J parser versions prior to 2.4.3. ====================================================================== http://shibboleth.net/community/advisories/secadv_20141103.txt ______________________________________________________________________ Shibboleth Identity Provider Security Advisory [3 November 2014] Xerces-J XML Parser Vulnerable to Denial of Service ========================================================================= The Shibboleth IdP software has historically required the use of the Xerces-J XML parser and was shipped with packaging, configuration, and documentation that required the use of the Java Endorsement mechanism to override the JDK-supplied parser and substitute the use of Xerces. In 2013, a denial of service issue was disclosed in the parser, but overlooked by most of the industry until recently. The Xerces Project corrected the bug in their source tree, but has never issued an update that addresses the problem. The Xerces issue was assigned CVE-2013-4002. Recent versions of the Shibboleth software can be configured to use the standard XML parser provided with the Oracle or OpenJDK Java software that are supported for use. An updated version of the IdP, V2.4.3, is also now available that explicitly omits the Xerces library and related files, and includes a configuration change required for the use of the built-in parser. Versions of the IdP prior to V2.4.0, which are formally unsupported, contain dependencies that make it more difficult to change the parser used. In such cases, and in fact with newer versions, we recommend an additional change that also closes the vulnerability, limiting the size of form POST data allowed by the Java container software (e.g., Tomcat). The recommended container for all versions of Shibboleth is now Jetty 9, which defaults to a POST limit of 200k and is not vulnerable to this issue. Tomcat, along with most other containers, defaults to a larger limit that should be changed to mitigate this issue and make future threats much less likely. Affected Versions ================= All versions of the Identity Provider using the Xerces-J parser, typically through the Java Endorsement mechanism. All versions prior to V2.4.3 include the Xerces software, and include configuration settings that work with it specifically. That is, if the conf/internal.xml file is unmodified, you are using Xerces and are vulnerable to this issue. Recommendations =============== All containers other than Jetty: refer to your container documentation and if possible, configure the container to reject form POST sizes larger than 100k. In the case of Tomcat (including many versions of JBoss), the maxPostSize attribute is used to adjust this limit in any element in conf/server.xml (this setting can apply to both HTTP/HTTPS and AJP). Setting maxPostSize="100000" is a reasonable limit. Deployers running IdP V2.4.0 or greater should unendorse the Xerces/Xalan libraries from your container, and adjust your configuration as follows: Edit $IDP_HOME/conf/internal.xml. Find the bean definition containing class="org.apache.xerces.util.SecurityManager" and change the class name to "com.sun.org.apache.xerces.internal.util.SecurityManager" If your IdP startup fails with a ClassNotFound error mentioning "org.apache.xerces.util.SecurityManager", this is due to failure to edit the file as described. IdP V2.4.3 is also available and no longer includes the unneeded jars, does not install a lib/endorsed directory, and includes an internal.xml file modified as above. Upgrading to this version will not overwrite the installed copy of internal.xml, but you can compare your version to the default file found in src/installer/resources/conf-tmpl/internal.xml NOTE: if you choose to use an unsupported JDK version from a different source, you may need to experiment or do some research to determine the appropriate parser configuration settings to use in internal.xml. Note also that it is possible to introduce vulnerabilities if improper settings are applied. Credits ======= Kaspar Brand, SWITCH URL for this Security Advisory http://shibboleth.net/community/advisories/secadv_20141103.txt ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================