xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Denial of service with Xerces?
Date Mon, 10 Aug 2009 22:06:07 GMT

Hi Jeff,

The specific problem reported to Apache only applied to Apache Xerces C++.
Xerces-J does not have the bug that was fixed in the C++ impl.

As a side note, for applications which do not want to trust documents
containing DTDs there's been a feature [1] available in Xerces-J for years
which will block them. There's also the JAXP secure processing feature [2]
which folks should also be enabling if they're concerned about DoS attacks.

Thanks.

[1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
[2]
http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Jeffrey Sinclair <jeff@cooljeff.co.uk> wrote on 08/10/2009 05:18:53 PM:

> j-users,
>
> There was a vulnerability report relating to a denial of service attack
> with Xerces recently [1]. The vulnerability report does not appear to go
> into much detail, however the link [2] to the C++ impl of Xerces would
> suggest it relates to nested DTD structures (I assume infinite
> recursion).
>
> The report lists all versions of Apache Xerces as being impacted. Would
> someone be able to confirm if there is an issue with Xerces for Java and
> if so what the actual issue is?
>
> Thanks in advance for any help.
>
> Regards,
>
> Jeff
>
> [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> [2] http://svn.apache.org/viewvc?view=rev&revision=781488
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org
Mime
View raw message