Bug 1908549 (CVE-2020-29511) - CVE-2020-29511 go: encoding/xml: XML element instability
Summary: CVE-2020-29511 go: encoding/xml: XML element instability
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-29511
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1913071
TreeView+ depends on / blocked
 
Reported: 2020-12-17 01:22 UTC by Jason Shepherd
Modified: 2021-06-24 14:18 UTC (History)
28 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go. Encoding and decoding of XML elements could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on element integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.
Clone Of:
Environment:
Last Closed: 2020-12-18 13:31:11 UTC


Attachments (Terms of Use)

Description Jason Shepherd 2020-12-17 01:22:48 UTC
Encoding and decoding of XML elements could lead to changes in the observed integrity. An attacker could use this flaw to trick applications which rely on element integrity for security decisions to make those decisions incorrectly. Known vulnerability use-cases are SAML and XML-DSig.

Comment 3 Jason Shepherd 2020-12-17 01:23:41 UTC
There are many potentially affected components using the encoding/xml library in Go. An initial investigation of OpenShift has not found any apart which are vulnerable to these issues.

There is no support for using SAML as an authentication provider in OpenShift [1]. There is a community support SAML authentication provider, but it uses mod_auth_melon [2] which is not written in Go.

[1] https://github.com/openshift/request-header-saml-service-provider
[2] https://github.com/latchset/mod_auth_mellon

OpenShift uses the aws-sdk-go library which includes SAML support via it's AssumeRoleWithSAML api call [3], but that type is not used in the OpenShift 4.x codebase.

[3] https://github.com/aws/aws-sdk-go/blob/master/service/sts/api.go#L261

Comment 6 Przemyslaw Roguski 2020-12-17 08:06:41 UTC
Mitigation:

While there is unlikely to be any fix for this issue Go's encoding/xml library affected users can workaround the vulnerability by using Mattermost's xml-roundtrip-validator [1].

[1] https://github.com/mattermost/xml-roundtrip-validator

Comment 8 Product Security DevOps Team 2020-12-18 13:31:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-29511

Comment 10 Jason Shepherd 2020-12-21 23:30:53 UTC
The awk-sdk-go project has confirmed that are not affected by these vulnerabilities. https://github.com/aws/aws-sdk-go/issues/3697#issuecomment-746677844

Comment 12 Przemyslaw Roguski 2021-01-08 12:26:13 UTC
Statement:

All uses of xml/encoding package in OpenShift Container Platform, OpenShift Jaeger,  OpenShift Service Mesh (OSSM), OpenShift Virtualization and OpenShift Container Storage do not rely on XML stability. We have assigned CVE-2020-27846 for crewjam/saml, and CVE-2020-27847 for dexidp/dex Go modules which are known to use encoding/xml in an unsafe way.

As it is unlikely for there to be any fix for this issue in Go's encoding/xml library, and the library should not be relied upon for security-sensitive protocols such as SAML and XML-DSig, there is currently no plan to fix this in golang as shipped in Red Hat Enterprise Linux 7, 8, or Red Hat Developer Tools.


Note You need to log in before you can comment on or make changes to this bug.