xerces-j-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Glavassevich <mrgla...@ca.ibm.com>
Subject Re: Denial of service with Xerces?
Date Tue, 11 Aug 2009 12:44:36 GMT

Hi Jeff,

>From reading CERT-FI's report it's apparent that Sun fixed something in
their JDK but as you probably know what they ship is based off of a fork of
Xerces (many years old now) that they've done all sorts of development on.
It's possible that we've fixed whatever they fixed already (though possibly
not released yet since we haven't had a release in a couple years
ourselves) or that it was a bug unique to their fork. Hard to say without
the details.

Thanks.

Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org

Jeffrey Sinclair <jeff@cooljeff.co.uk> wrote on 08/11/2009 01:44:53 AM:

> Thanks Michael.
>
> I'm going to see if I can provide feedback to cert.fi. Their original
> vulnerability report suggests that it is a Java problem too. Not only
> have they listed 'all' versions of Xerces but they have also listed the
> JAXP impl bundled in the JDK (which I know is no longer Xerces).
>
> Jeff
>
> On Mon, 2009-08-10 at 18:06 -0400, Michael Glavassevich wrote:
> > Hi Jeff,
> >
> > The specific problem reported to Apache only applied to Apache Xerces
> > C++. Xerces-J does not have the bug that was fixed in the C++ impl.
> >
> > As a side note, for applications which do not want to trust documents
> > containing DTDs there's been a feature [1] available in Xerces-J for
> > years which will block them. There's also the JAXP secure processing
> > feature [2] which folks should also be enabling if they're concerned
> > about DoS attacks.
> >
> > Thanks.
> >
> > [1]
> > http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> > [2]
> > http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> >
> > Michael Glavassevich
> > XML Parser Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
> >
> > Jeffrey Sinclair <jeff@cooljeff.co.uk> wrote on 08/10/2009 05:18:53
> > PM:
> >
> > > j-users,
> > >
> > > There was a vulnerability report relating to a denial of service
> > attack
> > > with Xerces recently [1]. The vulnerability report does not appear
> > to go
> > > into much detail, however the link [2] to the C++ impl of Xerces
> > would
> > > suggest it relates to nested DTD structures (I assume infinite
> > > recursion).
> > >
> > > The report lists all versions of Apache Xerces as being impacted.
> > Would
> > > someone be able to confirm if there is an issue with Xerces for Java
> > and
> > > if so what the actual issue is?
> > >
> > > Thanks in advance for any help.
> > >
> > > Regards,
> > >
> > > Jeff
> > >
> > > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> > > [2] http://svn.apache.org/viewvc?view=rev&revision=781488
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-users-help@xerces.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org
Mime
View raw message