ALAS-2014-377


Amazon Linux AMI Security Advisory: ALAS-2014-377
Advisory Release Date: 2014-09-19 10:49 Pacific
Severity: Important

Issue Overview:

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks.

Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.


Affected Packages:

php-ZendFramework


Issue Correction:
Run yum update php-ZendFramework to update your system.

New Packages:
noarch:
    php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-extras-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Ldap-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-full-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Soap-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Feed-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Dojo-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-demos-1.12.5-1.8.amzn1.noarch
    php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1.noarch

src:
    php-ZendFramework-1.12.5-1.8.amzn1.src