Encoding and decoding of XML elements could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on element integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
There are many potentially affected components using the encoding/xml library in Go. An initial investigation of OpenShift has not found any apart which are vulnerable to these issues.
There is no support for using SAML as an authentication provider in OpenShift . There is a community support SAML authentication provider, but it uses mod_auth_melon  which is not written in Go.
OpenShift uses the aws-sdk-go library which includes SAML support via it's AssumeRoleWithSAML api call , but that type is not used in the OpenShift 4.x codebase.
While there is unlikely to be any fix for this issue Go's encoding/xml library affected users can workaround the vulnerability by using Mattermost's xml-roundtrip-validator .
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
The awk-sdk-go project has confirmed that are not affected by these vulnerabilities. https://github.com/aws/aws-sdk-go/issues/3697#issuecomment-746677844
All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger, OpenShift Service Mesh (OSSM), OpenShift Virtualization and OpenShift Container Storage do not rely on XML stability. We have assigned CVE-2020-27846 for crewjam/saml, and CVE-2020-27847 for dexidp/dex Go modules which are known to use encoding/xml in an unsafe way.
As it is unlikely for there to be any fix for this issue in Go's encoding/xml library, and the library should not be relied upon for security-sensitive protocols such as SAML and XML-DSig, there is currently no plan to fix this in golang as shipped in Red Hat Enterprise Linux 7, 8, or Red Hat Developer Tools.