This may sound like a non-issue or a source of functional bugs at worst, but the reality of it is much more serious. In other words, passing XML through Go’s decoder and encoder doesn’t preserve its semantics. What does that mean in practice? If your application processes XML and, while processing it, parses markup that’s the output of at least one preceding round of parsing and serialization, you can no longer assume the output of that parsing matches the output from the preceding round. The core issue is the same in all three: maliciously crafted XML markup mutates during round-trips through Go’s decoder and encoder implementations. CVE-2020-29511: XML element instability in Go’s encoding/xmlĪs evident from the titles, the vulnerabilities are closely related.CVE-2020-29510: XML directive instability in Go’s encoding/xml. CVE-2020-29509: XML attribute instability in Go’s encoding/xml.All parties involved in the disclosure have collaborated to ensure mitigations are in place and sufficient.Īs part of our security work, we have identified three independently exploitable vulnerabilities in Go’s encoding/xml. Careful steps have been taken to privately disclose the issues to as many affected parties as possible prior to proceeding with public disclosure.Refer to the “Upcoming changes in Go” section for details. The Go security team has agreed to Mattermost coordinating disclosure prior to making their changes public in order to minimize impact to parts of the ecosystem that can’t benefit from the new API.Go is introducing publicly-visible API changes related to these issues in an upcoming major release, which risks making the vulnerabilities public without explicit public disclosure.The Go security team has determined that the root causes of the vulnerabilities cannot be reliably addressed.There are three reasons why we are doing this now: We don’t take this type of public disclosure lightly, and it has not been an easy decision to make. If you maintain a Go-based project that relies on XML integrity, we urge you to read this post carefully. The implications of these vulnerabilities in key use cases we have identified present a material security concern. Downstream projects that assume certain integrity guarantees from Go’s standard library are vulnerable when those guarantees do not hold. The mitigation for the remaining issues will be adding a new mode in Go to make explicit that these vulnerabilities exist. Only one of the three is on the roadmap to be patched in the foreseeable future (see “Update ” below). See “No impact to Mattermost customers” below for more info.ĭespite significant efforts by the Go security team, it has not been possible to patch the vulnerabilities discussed in this blog post. These issues do not impact Mattermost customers. The public disclosure comes as a result of several months of work, including collaborating with the Go security team since August 2020 and with affected downstream project maintainers since earlier this month. There are several potential security problems created by these vulnerabilities, one of which is a complete bypass of SAML authentication. This blog post is a part of Mattermost’s public disclosure of three serious vulnerabilities in Go’s encoding/xml related to tokenization round-trips.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |