Monday, September 20, 2021

New CVE (CVE-2021-40690) released for Apache Santuario - XML Security for Java

A new CVE has been released for Apache Santuario - XML Security for Java which is fixed in the latest 2.2.3 and 2.1.7 releases:

  • Bypass of the secureValidation property (CVE-2021-40690) - All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

As part of this fix we do not allow unsigned References to "http" or "file" URIs any more. This is controlled by a new system property 

  • org.apache.xml.security.allowUnsafeResourceResolving

The next major release (2.3.0) won't support by default "http" or "file" URIs even when they are signed, it will be necessary to manually add the ResourceResolvers instead (for example).

An important point is to make sure that you are setting the "secure validation" property to "true" in your project. We have decided for the next major release (2.3.0) to enable the "secure validation" property by default

We would like to thank An Trinh for alerting us to this security issue.