Zend Framework 1.11.13 and 1.12.0rc4 Released!

The Zend Framework team announces the immediate availability of Zend Framework’s 1.11.13 release, the thirteenth maintenance release in the 1.11 series, and 1.12.0rc4, our fourth (and likely last) release candidate for the 1.12 series. Downloads are available at:

These releases include important security fixes.

Several components were found to contain additional XML eXternal Entity (XXE) injection vulnerabilities (in addition to the XML-RPC component patched in 1.11.12). Additionally, we identified several potential XML Entity Expansion (XEE) vectors. XEE attacks occur when the XML doctype declaration contains XML entity definitions; these attacks usually result in recursion, which consumes CPU and memory resources, making Denial of Service (DoS) attacks easier to implement.

The patches in 1.11.13 and 1.12.0rc4 close both XXE and XEE vulnerabilities found in the framework. The former are mitigated by ensuring libxml_disable_entity_loader is called before any SimpleXML calls are executed; the latter are mitigated by looping through the DOMDocument instance and checking for XML_DOCUMENT_TYPE_NODE children, raising an exception if any are found (in cases where SimpleXML is used, loading the XML via DOMDocument first, and then passing the object to simplexml_import_dom).

The following components were patched:

  • Zend_Dom
  • Zend_Feed
  • Zend_Soap
  • Zend_XmlRpc

Thanks goes to Pádraic Brady for identifying and patching these vectors.

If you are using any of the above components, we highly recommend upgrading to 1.11.13 or later immediately.