Bug 1908547 (CVE-2020-29510)
| Summary: | CVE-2020-29510 go: encoding/xml: XML directives instability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | asm, bmontgom, bodavis, deparker, emachado, eparis, erooth, fdeutsch, gbrown, hchiramm, hvyas, jburrell, jesusr, jistone, jmulligan, jokerman, jpadman, jwendell, kconner, law, madam, mnewsome, nstielau, puebele, rcernich, rhs-bugs, sponnaga, storage-qa-internal, tstellar, twalsh |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in go. Encoding and decoding of XML directives could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on directive integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-12-18 13:31:08 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1913071 | ||
|
Description
Jason Shepherd
2020-12-17 01:14:59 UTC
External References: https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-directives.md https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/ https://github.com/golang/go/issues/43168 Mitigation: While there is unlikely to be any fix for this issue Go's encoding/xml library affected users can workaround the vulnerability by using Mattermost's xml-roundtrip-validator [1]. [1] https://github.com/mattermost/xml-roundtrip-validator There are many potentially affected components using the encoding/xml library in Go. An initial investigation of OpenShift has not found any apart which are vulnerable to these issues. There is no support for using SAML as an authentication provider in OpenShift [1]. There is a community support SAML authentication provider, but it uses mod_auth_melon [2] which is not written in Go. [1] https://github.com/openshift/request-header-saml-service-provider [2] https://github.com/latchset/mod_auth_mellon OpenShift uses the aws-sdk-go library which includes SAML support via it's AssumeRoleWithSAML api call [3], but that type is not used in the OpenShift 4.x codebase. [3] https://github.com/aws/aws-sdk-go/blob/master/service/sts/api.go#L261 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-29510 The awk-sdk-go project has confirmed that are not affected by these vulnerabilities. https://github.com/aws/aws-sdk-go/issues/3697#issuecomment-746677844 Statement: All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Virtualization and OpenShift Container Storage do not rely on XML stability. We have assigned CVE-2020-27846 for crewjam/saml, and CVE-2020-27847 for dexidp/dex Go modules which are known to use encoding/xml in an unsafe way. As it is unlikely for there to be any fix for this issue in Go's encoding/xml library, and the library should not be relied upon for security-sensitive protocols such as SAML and XML-DSig, there is currently no plan to fix this in golang as shipped in Red Hat Enterprise Linux 7, 8, or Red Hat Developer Tools. |