Friday, April 18, 2014

HL7 eNews -- April 17, 2014 : CDA Style Sheet Security Update Complete

This showed up in my inbox late yesterday.

April 17, 2014

CDA Style Sheet Security Update Complete

A potential security vulnerability to the long-standing CDA® (Clinical Document Architecture) style sheet was recently raised and the community took quick action to update the style sheet and address each issue.

This update addresses a potential vulnerability exposed by use of the style sheet in many current internet applications by preventing malicious insertion of executable code into the display instructions for non-XML (Extensible Markup Language) clinical documents (allowed as the body in Consolidated CDA), illegal table attributes, and image URIs (uniform resource indicators) to potentially hostile sites.
When the style sheet was developed and evolved through community efforts, browser support for XSLT (Extensible Stylesheet Language Transform) stylesheets was not commonly seen as a potential source of vulnerabilities, and JavaScript support was not as consistent or pervasive as it is today. These are no longer safe assumptions and we have responded to the potential threat by making the following security enhancements:

  • "Sanitizing" references in the nonXMLBody of a CDA document before passing it to an IFRAME.
  • Removing table attributes such as "onmouseover" that are legal in XHTML but not allowed in CDA
  • Allowing only local relative image URIs by default, but providing a parameter to the XSLT stylesheet to re-enable remote image support for those who need it.

The style sheet updates are not intended as a replacement for other security measures. Recipients should load CDA documents from trusted sources, validate them against both the CDA.xsd schema and appropriate Schematron schemas, scan XML files for potential JavaScript insertion before accepting them from 3rd parties, and stay current with best security practices. The vulnerabilities in the XSLT style sheet are only possible when other security measures are lax.

The updated style sheet is available here
We appreciate the action of the community to raise this issue and encourage all to continue to work to improve this utility. Special thanks to Lantana Consulting Group for working tirelessly to address these concerns quickly and efficiently.

Calvin Beebe, Diana Behling, Rick Geimer, Austin Kreisler, Patrick Loyd, and Brett Marquard
Co-Chairs, Structured Documents Work Group

It is this kind of team work that drives the best solutions for the HL7 community and we greatly appreciate the work of this Work Group and others who participated in this effort. The Technical Steering Committee will develop an ongoing security policy for HL7.

John Quinn
HL7 Chief Technology Officer

Ken McCaslin
Technical Steering Committee Chair


Post a Comment