xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Sinclair <j...@cooljeff.co.uk>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 19:38:23 GMT

I followed up with the cert.fi group, who posted the vulnerability, to
clarify the impact they mentioned in the Java implementations. As you
pointed out, the DOS issue with Xerces-C is different. On the Java side
they were specifically refering to bad characters in the DTD which can
result in an infinite loop. This appears to have been patched recently
in Xerces-J [1]. I also received a mail outside of the group
re-iterating what cert.fi told me (thanks to Steve Jones).

Could you confirm that the check-in to the XMLScanner [1] was intended
to fix this vulnerability? Also are there any plans for a 2.9.2 to be
released to resolve this?


As Michael pointed out, my comment around the JDK JAXP impl not being
Xerces was because it is kind of forked. Personally I don't recommend
that the JAXP impl bundled in the JDK be used in our enterprise
environment for two main reasons. Firstly, in the past, it has lagged
behind the current Xerces-J version which results in bug fixes taking
time to be 'back ported'. Secondly, there have been discrepancies in
behaviour in the past which makes it very hard to switch JVM vendors
with the expectation that the JAXP stack will work as expected.

Having said this, this specific vulnerability looks to have been fixed
as of Sun Java 1.6.0_15 and Sun 1.5.0_20 [2].

[1] http://marc.info/?l=xerces-cvs&m=124569778024398&w=2
[2] http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1



On Tue, 2009-08-11 at 12:13 -0400, Michael Glavassevich wrote:
> Elliotte Rusty Harold <elharo@ibiblio.org> wrote on 08/11/2009
> 09:51:56 AM:
> > On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey
> Sinclair<jeff@cooljeff.co.uk> wrote:
> > > Thanks Michael.
> > >
> > > I'm going to see if I can provide feedback to cert.fi. Their
> original
> > > vulnerability report suggests that it is a Java problem too. Not
> only
> > > have they listed 'all' versions of Xerces but they have also
> listed the
> > > JAXP impl bundled in the JDK (which I know is no longer Xerces).
> > >
> > 
> > Really? Since when. I know it used to be Xerces, and I thought it
> > still was (modulo Sun patches and repackaging). In what version did
> > this change?
> I think Jeff was referring to the amount of forking which Sun has done
> to Xerces. At this point I believe what they ship is very different
> than Apache Xerces. I'm not sure how folks got the impression that
> it's just "patches". I understand that they did significant
> development and re-architecture to accommodate StAX, work which has
> never made its way into the Apache codebase. Ditto for what was in
> Java 5 (for JAXP 1.3), also released by Sun before Xerces ever had
> those capabilities.
> > -- 
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> > 
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-users-help@xerces.apache.org
> Thanks.
> Michael Glavassevich
> XML Parser Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org

To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org

View raw message