[midPoint] Security Advisory: XXE Vulnerabilities

Radovan Semancik radovan.semancik at evolveum.com
Wed Apr 17 14:00:18 CEST 2019 

Date: 17 Apr 2019
Severity: Medium (CVSS 6.8)
Affected versions: all midPoint versions
Fixed in versions: 4.0 (unreleased),  3.9.1 (unreleased), 3.8.1 
(unreleased), 3.7.2 (unreleased), 3.6.2 (unreleased)

Description

The way how MidPoint handles XML documents is vulnerable to attacks 
based on XML External Entities (XXE). MidPoint is parsing XML documents 
that can contain embedded DTD and Entity declarations. Those can be 
abused to gain information that otherwise should be accessible.

Severity and Impact

This is medium-severity issue. The attacker can read files that are 
accessible to the process that midPoint is running in. However, it is 
unlikely that this vulnerability could expose any information that 
cannot be exposed by other means already (see below).

Mitigation

MidPoint users are advised to upgrade their deployments to the latest 
builds from the support branches.
As this is a medium severity issue, it is not forcing official 
maintenance releases of midPoint. However, the fix is provided in all 
the support branches.

Discussion and Explanation

The attacker needs an ability to add or modify XML files in the system, 
e.g. the ability to edit objects in raw XML form, create queries in XML 
form and so on. Therefore this vulnerability is usually exposed only to 
system administrators that already have high privileges. In that case it 
is unlikely that this vulnerability would expose any information that 
cannot be exposed by other mechanisms already. E.g. system 
administrators can use script expression to get the same information as 
is exposed by the XXE vulnerabilities.

However, there is a planned solution to limit data exposure by 
expressions. If that mechanism is implemented, XXE vulnerability may 
become a significant problem. Therefore the use of XXE in XML was 
explicitly disabled. This is reducing potential data exposure in future 
midPoint versions.

Credit

Variants of this issue were reported by testers known as A855 and XiaoX 
by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) 
project.

See Also

https://wiki.evolveum.com/display/midPoint/Security+Advisory%3A+XXE+Vulnerabilities

-- 
Radovan Semancik
Software Architect
evolveum.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20190417/4376a966/attachment.htm>

More information about the midPoint mailing list