Zend_XmlRpc are vulnerable to XML
Entity Expansion (XEE) vectors, leading to Denial of Service vectors. XEE
attacks occur when the XML DOCTYPE declaration includes XML entity definitions
that contain either recursive or circular references; this leads to CPU and
memory consumption, making Denial of Service exploits trivial to implement.
All locations where
DOMDocument were used with user input were
patched. The patches mitigate the XEE vector by first calling
libxml_disable_entity_loader(), and then looping through the
children, testing if any are of type
XML_DOCUMENT_TYPE_NODE; if so, an
exception is raised and execution is halted.
SimpleXML is used, the XML is loaded first via
DOMDocument and scanned
as noted above; once validated, the
DOMDocument instance is passed to
This patch has been applied starting in versions 1.11.13 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and first released with 2.0.0rc4).
If you are using either
your projects, we recommend immediately upgrading to 1.11.13 or greater.
The Zend Framework team thanks the following for working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org