xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Sinclair <j...@cooljeff.co.uk>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 05:44:53 GMT
Thanks Michael.

I'm going to see if I can provide feedback to cert.fi. Their original
vulnerability report suggests that it is a Java problem too. Not only
have they listed 'all' versions of Xerces but they have also listed the
JAXP impl bundled in the JDK (which I know is no longer Xerces).

Jeff
 
On Mon, 2009-08-10 at 18:06 -0400, Michael Glavassevich wrote:
> Hi Jeff,
> 
> The specific problem reported to Apache only applied to Apache Xerces
> C++. Xerces-J does not have the bug that was fixed in the C++ impl.
> 
> As a side note, for applications which do not want to trust documents
> containing DTDs there's been a feature [1] available in Xerces-J for
> years which will block them. There's also the JAXP secure processing
> feature [2] which folks should also be enabling if they're concerned
> about DoS attacks.
> 
> Thanks.
> 
> [1]
> http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> [2]
> http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> 
> Michael Glavassevich
> XML Parser Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
> 
> Jeffrey Sinclair <jeff@cooljeff.co.uk> wrote on 08/10/2009 05:18:53
> PM:
> 
> > j-users,
> > 
> > There was a vulnerability report relating to a denial of service
> attack
> > with Xerces recently [1]. The vulnerability report does not appear
> to go
> > into much detail, however the link [2] to the C++ impl of Xerces
> would
> > suggest it relates to nested DTD structures (I assume infinite
> > recursion).
> > 
> > The report lists all versions of Apache Xerces as being impacted.
> Would
> > someone be able to confirm if there is an issue with Xerces for Java
> and
> > if so what the actual issue is?
> > 
> > Thanks in advance for any help.
> > 
> > Regards,
> > 
> > Jeff
> > 
> > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> > [2] http://svn.apache.org/viewvc?view=rev&revision=781488
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-users-help@xerces.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org


Mime
View raw message