Today's cybersecurity headlines are brought to you by ThreatPerspective

Threat Intelligence

Apache XML Security for C++ Library Allows for Server-Side Request Forgery

Figure 2: Apache Santuario added a disclaimer suggesting to not use the xml-security-c library


C++ developers should first scan their projects to determine if they use the Apache xml-security-c library. If so, the software may have a server-side request forgery vulnerability unless the code is patched.

In some cases, usage of xml-security-c may be very limited, or it may be inconvenient to recompile the library when it is obtained in binary form. If developers can pinpoint each use of the XSECProvider class, they can call the setDefaultURIResolver method on the XSECProvider object, passing a custom implementation of XSECURIResolver that simply does nothing. This avoids the need to recompile xml-security-c and ensures the software remains secure if it is ever linked against the stock xml-security-c.

An alternative, and in our view superior approach, is to patch the xml-security-c library to make it secure by default with regard to URI resolution. Mandiant developed a patch to supersede the vulnerable XSECURIResolverXerces with a new default XSECURIResolverNoop that does nothing, thus fixing the SSRF. By applying the patch and recompiling, the library will not be susceptible to this form of SSRF. Note that any legitimate uses of external URIs would need to be changed to manually specify XSECURIResolverXerces as the default URI resolver.

The patch is available for download now (note: the download is a ZIP file, which contains the patch as a TXT file).

Published: 2024-04-09T14:00:00

© Ethical Hacking News . All rights reserved.

Privacy | Terms of Use | Contact Us