FreeBSD: VID-5786185A-9A43-11E8-B34B-6CC21735F730: xml-security-c -- crashes on malformed KeyInfo content
Description
The shibboleth project reports:
SAML messages, assertions, and metadata all commonly make use of the
XML Signature KeyInfo construct, which expresses information about
keys and certificates used in signing or encrypting XML.
The Apache Santuario XML Security for C++ library contained code
paths at risk of dereferencing null pointers when processing various
kinds of malformed KeyInfo hints typically found in signed or
encrypted XML. The usual effect is a crash, and in the case of the
Shibboleth SP software, a crash in the shibd daemon, which prevents
access to protected resources until the daemon is restarted.
Solution(s)
- freebsd-upgrade-package-apache-xml-security-c
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center