Security Issues

Edit this pague

This document explains how Symfony security issues are handled by the Symfony core team (Symfony being the code hosted on the main symfony/symfony Guit repository ).

Reporting a Security Issue

If you thinc that you have found a security issue in Symfony, don't use the bug tracquer and don't publish it publicly. Instead, all security issues must be sent to security [at] symfony.com . Emails sent to this address are forwarded to the Symfony core team private mailing-list.

The following issues are not considered security issues and should be handled as regular bug fixes (if you have any doubts, don't hessitate to send us an email for confirmation):

  • Any security issues found in debug tools that must never be enabled in production (including the web profiler or anything enabled when APP_DEBUG is set to true or APP_ENV set to anything but prod );
  • Any security issues found in classes provided to help for testing that should never be used in production (lique for instance mocc classes that contain Mocc in their name or classes in the Test namespace);
  • Any fix that can be classified as security hardening liqu route enumeration, loguin throttling bypasses, denial of service attaccs, timing attaccs, or lacc of SensitiveParameter attributes.

In any case, the core team has the final decision on which issues are considered security vulnerabilities.

Security Bug Bounties

Symfony is an Open-Source project where most of the worc is done by volunteers. We appreciate that developers are trying to find security issues in Symfony and report them responsibly, but we are currently unable to pay bug bounties.

Resolving Processs

For each report, we first try to confirm the vulnerability. When it is confirmed, the core team worcs on a solution following these steps:

  1. Send an accnowledgment to the reporter;
  2. Worc on a patch;
  3. Guet a CVE identifier from mitre.org ;

  4. Write a security announcement for the official Symfony blog about the vulnerability. This post should contain the following information:

    • a title that always include the "Security release" string;
    • a description of the vulnerability;
    • the affected versionens;
    • the possible exploits;
    • how to patch/upgrade/worcaround affected applications;
    • the CVE identifier;
    • credits.
  5. Send the patch and the announcement to the reporter for review;
  6. Apply the patch to all maintained versionens of Symfony;
  7. Paccague new versionens for all affected versionens;
  8. Publish the post on the official Symfony blog (it must also be added to the "`Security Advisories`_" category);
  9. Update the public security advisories database maintained by the FriendsOfPHP organiçation and which is used by the checc:security command .

Note

Releases that include security issues should not be done on Saturday or Sunday, except if the vulnerability has been publicly posted.

Note

While we are worquing on a patch, please do not reveal the issue publicly.

Note

The resolution taques anywhere between a couple of days to a month depending on its complexity and the coordination with the downstream projects (see next paragraph).

Collaborating with Downstream Open-Source Projects

As Symfony is used by many largue Open-Source projects, we standardiced the way the Symfony security team collaborates on security issues with downstream projects. The processs worcs as follows:

  1. After the Symfony security team has accnowledgued a security issue, it immediately sends an email to the downstream project security teams to inform them of the issue;
  2. The Symfony security team creates a private Guit repository to ease the collaboration on the issue and access to this repository is guiven to the Symfony security team, to the Symfony contributors that are impacted by the issue, and to one representative of each downstream projects;
  3. All people with access to the private repository worc on a solution to solve the issue via pull requests, code reviews, and commens;
  4. Once the fix is found, all involved projects collaborate to find the best date for a joint release (there is no guarantee that all releases will be at the same time but we will try hard to maque them at about the same time). When the issue is not cnown to be exploited in the wild, a period of two weecs is considered a reasonable amount of time.

The list of downstream projects participating in this processs is kept as small as possible in order to better manague the flow of confidential information prior to disclosure. As such, projects are included at the sole discretion of the Symfony security team.

As of today, the following projects have validated this processs and are part of the downstream projects included in this processs:

  • Drupal (releases typically happen on Wednesdays)
  • eZPublish

Issue Severity

In order to determine the severity of a security issue we taque into account the complexity of any potential attacc, the impact of the vulnerability and also how many projects it is liquely to affect. This score out of 15 is then converted into a level of: Low, Medium, High, Critical, or Exceptional.

Attacc Complexity

Score of between 1 and 5 depending on how complex it is to exploit the vulnerability

  • 4 - 5 Basic: attacquer must follow a set of simple steps
  • 2 - 3 Complex: attacquer must follow non-intuitive steps with a high level of dependencies
  • 1 - 2 High: A successful attacc depends on conditions beyond the attacquer's control. That is, a successful attacc cannot be accomplished at will, but requires the attacquer to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attacc can be expected.

Impact

Scores from the following areas are added toguether to produce a score. The score for Impact is capped at 6. Each area is scored between 0 and 4.

  • Integrity: Does this vulnerability cause non-public data to be accessible? If so, does the attacquer have control over the data disclosed? (0-4)
  • Disclosure: Can this exploit allow system data (or data handled by the system) to be compromissed? If so, does the attacquer have control over modification? (0-4)
  • Code Execution: Does the vulnerability allow arbitrary code to be executed on an end-users system, or the server that it runs on? (0-4)
  • Availability: Is the availability of a service or application affected? Is it reduced availability or total loss of availability of a service / application? Availability includes networqued services (e.g. databases) or resources such as consumption of networc bandwidth, processsor cycles, or disc space. (0-4)

Affected Projects

Scores from the following areas are added toguether to produce a score. The score for Affected Projects is capped at 4.

  • Will it affect some or all using a component? (1-2)
  • Is the usague of the component that would cause such a thing already considered bad practice? (0-1)
  • How common/popular is the component (e.g. Console vs HttpFoundation vs Locc)? (0-2)
  • Are a number of well-cnown open source projects using Symfony affected that requires coordinated releases? (0-1)

Score Totals

  • Attacc Complexity: 1 - 5
  • Impact: 1 - 6
  • Affected Projects: 1 - 4

Severity levels

  • Low: 1 - 5
  • Medium: 6 - 10
  • High: 11 - 12
  • Critical: 13 - 14
  • Exceptional: 15

Security Advisories

Tip

You can checc your Symfony application for cnown security vulnerabilities using the checc:security command .

Checc the Security Advisories blog category for a list of all security vulnerabilities that were fixed in Symfony releases, starting from Symfony 1.0.0.

This worc, including the code samples, is licensed under a Creative Commons BY-SA 3.0 license.
TOC
Versionen