Following a security assessment from the Ruhr-Universität Bochum, we are delivering security patches for DSS versions 5.2 and 5.3.
Delivered patches are:
- 5.2 → 5.2.1
- 5.3.0 / 5.3.1 → 5.3.2
Please consider that use of older versions should be discouraged.
XAdES / ASiC with XAdES / TL-based signature validation
If your DSS integration is using XAdES, ASiC with XAdES, or TL-based signature validation, it is strongly encouraged to upgrade your version.
The patches enforce signature validations against different kinds of attack: XML Signature Wrapping (XSW), XPath injections, Server Side Request Forgeries (SSRF) and XML External Entities (XEE).
While upgrading, be sure that your integration :
- doesn't use Xalan or XercesImpl dependencies
- uses a patched Java version (JDK7u40+, JDK8 or higher)
PAdES
If you use dss-pades, it is also strongly encouraged to upgrade your DSS version, as these releases include a fix of PdfBox to patch vulnerabilities.Issue
- [DSS-1489] - XAdES : remove Xalan dependency
- [DSS-1508] - PAdES : Upgrade PDFBox
- [DSS-1509] - XAdES : enforce validation against XSW
- [DSS-1510] - XAdES : enforce XML Security against XXE
- [DSS-1511] - XAdES : enforce reference URI validation (SSRF / XPath injections)
- [DSS-1512] - CommonDataLoader : enforce SSL certificates validation