Bug 2011190 (CVE-2021-40690)

Summary: CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, agrimm, aileenc, antti.andreimann, aos-bugs, asoldano, atangrin, bbaranow, bcoca, bibryam, bmaxwell, bmontgom, brian.stansberry, caswilli, cdewolf, chazlett, chousekn, darran.lofthouse, davidn, dkreling, dosoudil, drieden, eleandro, eparis, eric.wittmann, ewolinet, extras-orphan, fjuma, gblomqui, ggaughan, gmalinko, gvarsami, hbraun, iweiss, janstey, java-sig-commits, jburrell, jcammara, jcantril, jcoleman, jhardy, jnethert, jobarker, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jstastny, jwon, kaycoth, kloczko.tomasz, krathod, kwills, ldimaggi, lef, lgao, loleary, mabashia, mihkel.vain, msochure, msvehla, nstielau, nwallace, osapryki, pantinor, pdelbell, pdrozd, pjindal, pmackay, puntogil, relrod, rguimara, rpetrell, rstancel, rsvoboda, rwagner, sdoran, smaestri, smcdonal, spinder, sponnaga, sthorger, tcunning, theute, tkirby, tkuratom, tom.jenkinson, vkumar, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: xmlsec-2.1.7 xmlsec-2.2.3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-15 15:58:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2011191, 2011192    
Bug Blocks: 2011193    

Description Marian Rehak 2021-10-06 08:52:00 UTC
An issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

External Reference:

https://lists.debian.org/debian-lts-announce/2021/09/msg00015.html

Comment 1 Marian Rehak 2021-10-06 08:52:36 UTC
Created xml-security tracking bugs for this issue:

Affects: epel-7 [bug 2011192]


Created xml-security-c tracking bugs for this issue:

Affects: fedora-all [bug 2011191]

Comment 9 Jonathan Christison 2021-10-07 18:45:13 UTC
Marking this flaw as having a Moderate impact (was Important) as per Red Hat security ratings - 

"This rating is given to flaws that may be more difficult to exploit but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances. These are the types of vulnerabilities that could have had a Critical or Important impact but are less easily exploited based on a technical evaluation of the flaw, and/or affect unlikely configurations."

This is based on the flaw requiring some prerequisites which we think are unlikely to occur in applications using Santuario, namely that unprivileged users would be able to manipulate XML to inject the retrievalMethod element and that XPath transformations also be under the attackers control.

Comment 10 Tomasz Kłoczko 2021-10-08 01:23:44 UTC
Is it any patch for that issue?
If not I don;t see what more ATM I can do ..

Comment 12 Jonathan Christison 2021-10-08 08:53:42 UTC
@Tomasz thanks for your enquiry, the likely fixing commit (https://github.com/apache/santuario-xml-security-java/pull/51/commits/5bcbf7d4c5ef36f09543b05294e9497bae0f95f6) is specific to the java implementation so i do not believe this affects xml-security-c

Comment 15 Jonathan Christison 2021-10-15 13:08:01 UTC
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Fuse Service Works 6
 * Red Hat JBoss Data Virtualization 6
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss SOA Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 21 errata-xmlrpc 2021-12-15 14:35:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 7

Via RHSA-2021:5150 https://access.redhat.com/errata/RHSA-2021:5150

Comment 22 errata-xmlrpc 2021-12-15 14:41:07 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 8

Via RHSA-2021:5151 https://access.redhat.com/errata/RHSA-2021:5151

Comment 23 errata-xmlrpc 2021-12-15 14:42:52 UTC
This issue has been addressed in the following products:

  EAP 7.3.10 GA

Via RHSA-2021:5154 https://access.redhat.com/errata/RHSA-2021:5154

Comment 24 errata-xmlrpc 2021-12-15 14:50:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.3 for RHEL 6

Via RHSA-2021:5149 https://access.redhat.com/errata/RHSA-2021:5149

Comment 25 Product Security DevOps Team 2021-12-15 15:58:40 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-40690

Comment 26 errata-xmlrpc 2021-12-15 19:09:01 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.4.10

Via RHSA-2021:5170 https://access.redhat.com/errata/RHSA-2021:5170

Comment 27 errata-xmlrpc 2022-01-17 12:03:08 UTC
This issue has been addressed in the following products:

  Red Hat EAP-XP 2 via EAP 7.3.x base

Via RHSA-2022:0146 https://access.redhat.com/errata/RHSA-2022:0146

Comment 28 errata-xmlrpc 2022-01-17 21:30:33 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 8

Via RHSA-2022:0152 https://access.redhat.com/errata/RHSA-2022:0152

Comment 29 errata-xmlrpc 2022-01-17 21:31:30 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.5 for RHEL 7

Via RHSA-2022:0151 https://access.redhat.com/errata/RHSA-2022:0151

Comment 30 errata-xmlrpc 2022-01-17 21:46:41 UTC
This issue has been addressed in the following products:

  RHSSO 7.5.1

Via RHSA-2022:0155 https://access.redhat.com/errata/RHSA-2022:0155

Comment 31 errata-xmlrpc 2022-01-18 14:53:58 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2022:0164 https://access.redhat.com/errata/RHSA-2022:0164

Comment 32 errata-xmlrpc 2022-02-09 16:18:18 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.0.3 GA

Via RHSA-2022:0501 https://access.redhat.com/errata/RHSA-2022:0501

Comment 33 errata-xmlrpc 2022-03-22 15:34:44 UTC
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013

Comment 34 errata-xmlrpc 2022-07-07 14:21:31 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532

Comment 35 errata-xmlrpc 2022-09-09 07:12:55 UTC
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407