CVE CyberSecurity Database News

CVE-2023-44483 - Info Leak in Apache Santuario - XML Security for Java (Private Key Disclosure)

Poster -

A critical vulnerability has surfaced in Apache Santuario - XML Security for Java, tracked as CVE-2023-44483. All versions before 2.2.6, 2.3.4, and 3..3 are exposed when using the JSR 105 API. Under certain debug logging settings, private cryptographic keys may be inadvertently written to log files, posing a dangerous risk of key disclosure. This post will break down how the bug happens, show what code sparks the leak, and give you steps to both exploit and fix the issue.

What is Apache Santuario - XML Security for Java?

Apache Santuario is a Java library used by applications for creating and validating XML Signatures and XML Encryption. It is commonly used in SAML (Single Sign-On), SOAP, and other security-conscious Java applications.

How does the leak happen?

If your Java application uses Santuario to make XML Signatures via the JSR 105 API, and you have debug logging switched on, Santuario can log private key content directly into log files. This can potentially hand your critical cryptographic secrets to anyone with access to these logs.

Imagine a typical XML Signature creation code in Java, logging enabled at debug level

import javax.xml.crypto.dsig.*;
import javax.xml.crypto.dsig.dom.DOMSignContext;
// ... (other imports)

KeyPair keyPair = KeyPairGenerator.getInstance("RSA").generateKeyPair();
DOMSignContext signContext = new DOMSignContext(keyPair.getPrivate(), document.getDocumentElement());

XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");

XMLSignature signature = factory.newXMLSignature(si, ki);
signature.sign(signContext);

If debug-level logging is turned on (for example, -Dorg.apache.xml.security.debug=true or using log4j/slf4j set to DEBUG), private keys passed to DOMSignContext or signature methods may appear in your app logs.

Sample Exposed Output (debug log)

DEBUG org.apache.xml.security.signature.XMLSignature - Using private key: SunRSAPrivateKey [private exponent: ...]

Read through entries made during XML signature creation.

3. Extract the private key and use it to forge digital signatures, impersonate services, or decrypt confidential data.

Proof-of-Concept

# Assume access to logs stored at /var/log/myapp/debug.log
grep 'private key' /var/log/myapp/debug.log > private_key_leak.txt
# Now, attacker has the private key and can try using openssl or similar tools to use it

References

- Apache Santuario Security Advisories
- Original Issue Tracker
- NVD Entry: CVE-2023-44483

Instructions (Maven example)

<dependency>
  <groupId>org.apache.santuario</groupId>
  <artifactId>xmlsec</artifactId>
  <version>2.3.4</version>
</dependency>

Immediate Workaround (if you can't upgrade)

- Disable debug logging in production (log4j/slf4j to WARN or ERROR).

Final Notes

Keeping private keys off your logs is crucial! If your application uses XML signatures with Apache Santuario, don't delay: upgrade now or disable debug logging. Even trusted logs become a liability when cryptographic keys are at stake.

Stay safe, patch quickly, and check your logs!

*Written exclusively for this request – please consult the references above for the official announcements and detailed advisories.*

Timeline

Published on: 10/20/2023 10:15:12 UTC
Last modified on: 10/27/2023 18:49:49 UTC