From: Markus K. <ma...@pr...> - 2014-11-28 08:48:50
|
XML processing workers in SignServer has been discovered to be vulnerable to an XML External Entity attack. Systems configured with the affected modules could allow an attacker to access local files, bypass certain protection mechanisms or cause high CPU usage. Users using any of the following workers are recommended to upgrade to the latest version of SignServer or to disable access to those workers from untrusted users: - XML signer and validator - XAdES signer and validator - OOXML signer - ODF signer Note that installations where those workers are not configured are not affected by this vulnerability. This issue has been resolved in SignServer 3.6.2 by disallowing document type definitions in user supplied XML documents. For upgrade instructions, please see doc/UPGRADE.txt. Regards, PrimeKey SignServer Team |