Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-5786185A-9A43-11E8-B34B-6CC21735F730: xml-security-c -- crashes on malformed KeyInfo content

Back to Search

FreeBSD: VID-5786185A-9A43-11E8-B34B-6CC21735F730: xml-security-c -- crashes on malformed KeyInfo content

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
08/03/2018
Created
03/19/2019
Added
08/08/2018
Modified
08/08/2018

Description

The shibboleth project reports:

SAML messages, assertions, and metadata all commonly make use of the

XML Signature KeyInfo construct, which expresses information about

keys and certificates used in signing or encrypting XML.

The Apache Santuario XML Security for C++ library contained code

paths at risk of dereferencing null pointers when processing various

kinds of malformed KeyInfo hints typically found in signed or

encrypted XML. The usual effect is a crash, and in the case of the

Shibboleth SP software, a crash in the shibd daemon, which prevents

access to protected resources until the daemon is restarted.

Solution(s)

  • freebsd-upgrade-package-apache-xml-security-c

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;