Bug 1908535 (CVE-2020-29509) - CVE-2020-29509 go: encoding/xml: XML attribute instability
Summary: CVE-2020-29509 go: encoding/xml: XML attribute instability
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-29509
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1913071
TreeView+ depends on / blocked
 
Reported: 2020-12-16 23:58 UTC by Jason Shepherd
Modified: 2023-08-30 23:52 UTC (History)
30 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go. Encoding and decoding of XML attributes could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on attribute integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Clone Of:
Environment:
Last Closed: 2020-12-18 13:31:04 UTC
Embargoed:

Attachments (Terms of Use)

Description Jason Shepherd 2020-12-16 23:58:19 UTC 
Encoding and decoding of XML attributes could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on attribute integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Comment 2 Jason Shepherd 2020-12-16 23:58:24 UTC 
External References:

https://github.com/mattermost/xml-roundtrip-validator/blob/master/advisories/unstable-attributes.md

https://mattermost.com/blog/coordinated-disclosure-go-xml-vulnerabilities/

https://github.com/golang/go/issues/43168
Comment 3 Jason Shepherd 2020-12-16 23:58:26 UTC 
Mitigation:

While there is unlikely to be any fix for this issue Go's encoding/xml library affected users can workaround the vulnerability by using Mattermost's xml-roundtrip-validator [1].

[1] https://github.com/mattermost/xml-roundtrip-validator
Comment 4 Jason Shepherd 2020-12-17 00:35:15 UTC 
There are many potentially affected components using the encoding/xml library in Go. An initial investigation of OpenShift has not found any apart which are vulnerable to these issues.

There is no support for using SAML as an authentication provider in OpenShift [1]. There is a community support SAML authentication provider, but it uses mod_auth_melon [2] which is not written in Go.

[1] https://github.com/openshift/request-header-saml-service-provider
[2] https://github.com/latchset/mod_auth_mellon

OpenShift uses the aws-sdk-go library which includes SAML support via it's AssumeRoleWithSAML api call [3], but that type is not used in the OpenShift 4.x codebase.

[3] https://github.com/aws/aws-sdk-go/blob/master/service/sts/api.go#L261
Comment 8 Product Security DevOps Team 2020-12-18 13:31:04 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29509
Comment 10 Jason Shepherd 2020-12-21 23:30:29 UTC 
The awk-sdk-go project has confirmed that are not affected by these vulnerabilities. https://github.com/aws/aws-sdk-go/issues/3697#issuecomment-746677844
Comment 12 Przemyslaw Roguski 2021-01-08 12:25:18 UTC 
Statement:

All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger,  OpenShift Service Mesh (OSSM), OpenShift Virtualization and OpenShift Container Storage do not rely on XML stability. We have assigned CVE-2020-27846 for crewjam/saml, and CVE-2020-27847 for dexidp/dex Go modules which are known to use encoding/xml in an unsafe way.

As it is unlikely for there to be any fix for this issue in Go's encoding/xml library, and the library should not be relied upon for security-sensitive protocols such as SAML and XML-DSig, there is currently no plan to fix this in golang as shipped in Red Hat Enterprise Linux 7, 8, or Red Hat Developer Tools.
Note You need to log in before you can comment on or make changes to this bug.