db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bryan Pendleton (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6807) XXE attack possible by using XmlVTI and the XML datatype
Date Sat, 27 Jun 2015 20:01:04 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14604330#comment-14604330
] 

Bryan Pendleton commented on DERBY-6807:
----------------------------------------

I propose to do the following to resolve this issue:

1) Modify XmlVTI and SqlXmlUtils to perform

    dBF.setFeature( "http://xml.org/sax/features/external-general-entities", false );

2) Modify the XXE regression tests to demonstrate the new, not vulnerable, behavior.

3) Write a release note alerting the community to the fact that Derby's XML parsing
   logic will no longer allow any expansion of external general entities, and noting
   that any applications which rely on this behavior will need to be modified.

Note that I do NOT propose to make the first change configurable, it will be unconditional.

We may need to revisit this decision if it proves undesirable in the broader community,
but I'd rather start by solidly closing the security hole and then seeing what response we
get.


> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
>                 Key: DERBY-6807
>                 URL: https://issues.apache.org/jira/browse/DERBY-6807
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: error-stacktrace.out, externalGeneralEntities.diff, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose
sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832.
This issue was brought to our attention by Philippe Arteau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message