XTF 3.2 and 3.1.1 security release
Written by mhaye on April 25, 2024 – 1:44 pm
Two new versions of XTF have been released to address a security concern in XTF 3.1:
- XTF 3.2 – new version incorporating bug fixes and enhancements that have been contributed over the years. Of note, XTF now works in Tomcat 9 and any OpenJDK up to and including OpenJDK 21. Many thanks to the generous contributors to XTF over the years (see the git log.) A whole bunch of changes, large and small, are incorporated in this release! See the change log for details.
- XTF 3.1.1 – bug fix version; the same as XTF 3.1 but with the security fix for DynaXML. Note: still limited to OpenJDK 11 or less.
Details on the security concern:
- DynaXML supported the ability to override the source XML document using a URL parameter.
- A malicious actor could point it at a malicious XML file and get DynaXML to process the file. We currently know of no exploits which could leverage that to escalate privilege, but it’s poor security practice to process user-controlled content when an app is not designed to do so.
- The fix adds a configuration parameter to
dynaXML.conf
:<allowSourceOverride prefix=""/>
to specify an explicit prefix that is allowed in the source override. If not specified or an empty string, source overrides are prevented. - If you are depending on source override behavior, you’ll need to configure the prefix. If not, leave it unconfigured or empty.
How to get the fix: this depends on how you run XTF now.
- If you have Apache httpd in front of XTF, you can add a rewrite rule that blocks
/view
requests with asource=
parameter. No other changes to your XTF installation would be needed. - If you run stock XTF 3.1 from the war file, grab the
xtf.jar
file from insidextf-3.1.1.zip
(linked on the Downloads page), and replace yourWEB-INF/lib/xtf.jar
file with it. Then restart Tomcat. - If you build XTF yourself from source, pull the latest from Github and merge it into yours, or else cherry-pick the fix commit into your codebase.
- Or if you wish, upgrade to XTF 3.2.
If you have questions, write to the xtf-users email list.