Problem: 

Layer 7 products may be impacted by an issue which has been recently identified in the W3C XML Encryption specification. We recommend all customers utilizing XML Encryption to immediately adopt the recommendations below.

Environment:  

All Linux operating systems.

Layer 7 SecureSpan and CloudSpan product lines (All versions)

Cause: 

Layer 7 has reviewed the paper outlining the attack mechanism entitled "How to Break XML Encryption" by Tibor Jager and Juraj Somorovsky of Ruhr-University. This proof of concept attack would allow an attacker to decrypt encrypted XML by sending multiple, specially crafted messages to a Gateway that knows the decryption key, and gathering exploit information from any received error messages. The vulnerability is inherent to the specification as adopted and would potentially affect any compliant implementation of XML Encryption regardless of vendor.

Resolution: 

Layer 7 is currently reviewing potential long-term impacts and mitigation strategies for the SecureSpan and CloudSpan product lines and will be communicating further recommendations in the immediate future. In the short term, we strongly recommend that customers utilize TLS mutual authentication as part of policy before permitting subsequent Gateway operations attempting to decrypt any encrypted XML. The intent would be to ensure that only messages sent by entities who can be trusted not to exploit the attack would be accepted.

This mitigation approach can be enabled in the Gateway in two places:

1) At the listen port level, the following steps will ensure that incoming connections will fail on the TLS handshake unless the client is trusted to submit a message:
- Set all listen ports to use TLS 1.2
- Ensure that "Client Authentication" is set to "Required"
- Ensure that "Manage Trusted Certificates" trusts with "Trusted for signing client certificates"/"Trusted as client certificate" selected are only for certificates of private keys controlled by approved entities

2) In a message-recieved global policy, the following step will ensure that all incoming requests will be required to be authenticated before they are exposed to the WSS processor :
- Create a message-recieved global policy that requires the Request come in over TLS with a client certificate, and authenticates the certificate credentials against an identity provider

We also recommend that customers ensure that a WS-Signature is used with all encrypted elements, as a general good practice.

Future Action:

Layer 7 is currently researching other long term approaches to mitigating this exposure and will issue further security advisories about this exploit. This includes studying proposed W3C changes to the XML Encryption specification and ensuring future compliance to any changes.

As of the date of this notice, Layer 7 has received no report of any security breaches that may have occurred as a result of this vulnerability.

Additional Information: 

None.