ZF2014-01 addressed potential XML eXternal Entity (XXE) injection and XML Entity Expansion (XEE) vectors in Zend Framework components that consume XML. The solution provided at the time was creation of a new component, ZendXml, which mitigates the vectors, and which we then incorporated into all components that consume XML.
However, an independent security researcher recently discovered a vector that remained open in ZendXml when running under PHP-FPM (PHP's FastCGI Process Manager) when in a threaded environment: if the XML payload is in a multibyte encoding, the heuristic we provide to detect XXE/XEE vectors can fail.
The underlying problem is threading support for libxml2 in PHP, which is what forced us to use a heuristic detection under PHP-FPM in the first place. That problem has been fixed in the upstream PHP project, but it only applies to PHP versions 5.5 at 5.5.22 and higher, PHP 5.6 at 5.6.6 and higher, and the PHP 7 development branch. This means that, in order to protect all users of Zend Framework, we had to create better heuristic detection when using an older version of PHP.
We updated our heuristic to do the following:
<!ENTITYand test for the encoded string in the document. If discovered, the heuristic fails, and we mark the document as a security violation.
For users of PHP 5.5 >= 5.5.22, PHP 5.6 >= 5.6.6, and PHP 7 development builds, we never use the heuristic, and instead use the tools provided by libxml2 to prevent external entity loading and entity expansions.
The following components/libraries were patched, at the version specified:
This vulnerability has also been disclosed as CVE-2015-5161.
If you use any Zend Framework components that consume XML, and use or will use PHP-FPM during deployment, we recommend upgrading to one of these versions immediately.
The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:
Have you identified a security vulnerability?
Please report it to us at firstname.lastname@example.org