Security Advisory: XXE Vulnerabilities
Date: 17 April 2019
Severity: Medium (CVSS 6.8)
Affected versions: all midPoint versions
Fixed in versions: 4.0 (unreleased), 3.9.1 (unreleased), 3.8.1 (unreleased), 3.7.3 (unreleased), 3.6.2 (unreleased)
The way how MidPoint handles XML documents is vulnerable to attacks based on XML External Entities (XXE). MidPoint is parsing XML documents that can contain embedded DTD and Entity declarations. Those can be abused to gain information that otherwise should be accessible.
Severity and Impact
This is medium-severity issue. The attacker can read files that are accessible to the process that midPoint is running in. However, it is unlikely that this vulnerability could expose any information that cannot be exposed by other means already (see below).
MidPoint users are advised to upgrade their deployments to the latest builds from the support branches.
As this is a medium severity issue, it is not forcing official maintenance releases of midPoint. However, the fix is provided in all the support branches.
Discussion and Explanation
The attacker needs an ability to add or modify XML files in the system, e.g. the ability to edit objects in raw XML form, create queries in XML form and so on. Therefore this vulnerability is usually exposed only to system administrators that already have high privileges. In that case it is unlikely that this vulnerability would expose any information that cannot be exposed by other mechanisms already. E.g. system administrators can use script expression to get the same information as is exposed by the XXE vulnerabilities.
However, there is a planned solution to limit data exposure by expressions. If that mechanism is implemented, XXE vulnerability may become a significant problem. Therefore the use of XXE in XML was explicitly disabled. This is reducing potential data exposure in future midPoint versions.
Variants of this issue were reported by testers known as A855 and XiaoX by the means of EU-Free and Open Source Software Auditing (EU-FOSSA2) project.