Skip to content

XEE security enhancements

Thierry Boileau edited this page Oct 2, 2017 · 18 revisions

Summary

Here are listed the several security issues reported and the related enhancements.

Vulnerability CVE-2017-14949

Restlet Framework XEE vulnerability is referenced as CVE-2017-14949.

Note: Version 2.3.12 introduced enhancement to to circumvent this vulnerability, as well as newer versions also include the fix.

Thanks to Man Yue Mo of Semmle Inc. and lgtm.com for reporting us this issue and providing assistance while fixing it.

Identified vulnerabilities

Are subject to XEE vulnerability, user codes that rely on the "XML" Restlet Framework extension.

Security enhancements

The XmlRepresentation (and inherited DOMRepresentation and SaxRepresentation), JacksonRepresentation classes and subclasses leverage one attribute called "expandingEntityRefs". This attribute has been introduced when handling vulnerability CVE-2014-1868. Unfortunately, setting this attribute to false did not prevent properly to expand external entities. The security fix ensures incoming XML streams are parsed safely in order to block expansion of entities.

Vulnerability CVE-2017-14868

Restlet Framework XEE vulnerability is referenced as CVE-2017-14868.

Note: Version 2.3.11 introduced enhancement to to circumvent this vulnerability, as well as newer versions also include the fix.

Thanks to Man Yue Mo of Semmle Inc. and lgtm.com for reporting us this issue and providing assistance while fixing it.

Identified vulnerabilities

Are subject to XEE vulnerability, user codes that rely on the "Jax-rs" Restlet Framework extension.

Security enhancements

The security fix ensures incoming XML streams are parsed safely in order to block expansion of entities.

Technical details

The issue was introduced by external library simple-xml. At the time of writing, this library has been forked in order to provide a fix quickly. The maintenance team has been contacted, and we wait for their answer.

Vulnerability CVE-2014-1868

Restlet Framework XEE vulnerability is referenced as CVE-2014-1868.

Note: Versions 2.1.7 and 2.2 RC1 introduced enhancements and default behaviors to circumvent this vulnerability, as well as newer versions also include the fix.

For details regarding XEE (XML ENTITY EXPANSION), see http://en.wikipedia.org/wiki/Billion_laughs. Thanks to Alvaro Munoz from HP Fortify for reporting the issue and his assistance with the CVE process.

Identified vulnerabilities

Are subject to XEE vulnerability, user codes that rely on the following Restlet Framework extensions :

  • "xml" extension,
  • "atom", "javamail", "lucene", "odata", "openid", "rdf", "wadl", "xdb" that directly depends on the "xml" extension.
  • "jackson", "jaxb", "jibx", "xstream", "rome" that provides automatic converters.

Security enhancements

If your code leverages XMLRepresentation or XML serializers

The following Restlet Framework components are concerned :

  • XMLRepresentation and its sub classes : SaxRepresentation, DomRepresentation.
  • but also representations that help handling serialization/deserializations from class instances to XML streams : JacksonRepresentation, JibxRepresentation, XStreamRepresentation, SyndFeedRepresentation (rome).

The security fix ensures incoming XML streams are parsed safely : at the representation level, we've added specific attributes, accessors and constructors (in case XML parsing happens at instantiation time)

Technical details

The XmlRepresentation (and inherited DOMRepresentation and SaxRepresentation), JacksonRepresentation classes and subclasses declare two new attributes :

  • "expandingEntityRefs": instance attribute which specifies if the parser should expand entity referenced nodes, default value : false (inherited from XML_EXPANDING_ENTITY_REFS),
  • "validatingDtd": instance attribute to enforce XML stream validation against a DTD, default value : false (inherited from XML_VALIDATING_DTD).

You may override the default value of these attributes if you need Entity Expansion or DTD validation. In these cases, you 'll be subject to XEE vulnerability.

Moreover, the SaxRepresentation and its subclasses declare a third new attribute :

  • "secureProcessing": instance attribute which activates the Sax internal secure processing feature (to avoid XML overflow attacks), default value : true (inherited from XML_SECURE_PROCESSING).

If your code uses Annotated ServerResources

In this case, the Restlet Framework engine calls XML converters, that leverage the Representation classes and subclasses discussed above.

The security fix enlarges the control you have regarding the XML parsing handled at the Representation level.

  • XML_EXPANDING_ENTITY_REFS: class attribute that sets the default value for the "expandingEntityRefs" instance attribute. Default value is false (inherited from the "org.restlet.ext.xml.expandingEntityRefs" system property).

  • XML_VALIDATING_DTD: class attribute that provides the default value for the "validatingDtd" attribute. Default value is false (inherited from the "org.restlet.ext.xml.validatingDtd" system property).

  • XML_SECURE_PROCESSING class attribute that provides the default value for the "secureProcessing" attribute. Default value is true (overrided by the "org.restlet.ext.xml.secureProcessing" system property).

Other XML Parsers

The enhancements described above concern the Jackson and Jaxb parsers.

The Rome extension relies on JDOM. Our XEE internal tests did not reveal XEE vulnerability.

The XStream extension relies on SAX, and is explicitely configured to be XEE safe. Our XEE internal tests confirmed no XEE vulnerability.

Concerning the JiBX and Emf extensions, our XEE internal tests did not reveal XEE vulnerability. Yet, we welcome your feedbacks on these later extensions.

You can’t perform that action at this time.