Sun JRE / JDK bug introduces XXE possibilities
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Sun JRE / JDK bug introduces XXE possibilities
- From: "Chris Evans" <scarybeasts@xxxxxxxxx>
- Date: Sat, 2 Feb 2008 14:21:13 +0000
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=jMKHHMADNwPa8a98QqOogeWzJQIAOKPUEu0ZYfHycOo=; b=BeT211/m42wtQ1hdilK6/ur86lxlOvBX9ea0Y7Eq4mciXexMrzC78H0E4iFl7YdXZz5uodJCL79j8cxaZb45HBdAAfRIU4iFsy+KiaWjtQZwwc1eKSTJhbwzuVby6Lz/VOsPByOG7A5LtDgBEcLze1C2S7XcEHg0AXWCTGFiILs=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=H9Sfuu0Sq4Xqq2DJ68ht9CZRRI1c9jbq2BifkYNvdwCIw/hhDUr4JQeUgZpj8gI2ezT+T/7TZ/59g/2S3NOcqOfdhsZgMuQjCzQM2woA6ZJKRz/SM+tQ4Kj6R39DvdN8bCyqoR6ROBBV2vMXwIuitYsU4Ff6G3k3cf01yuDNu5U=
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Hi,
Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:
http://scarybeastsecurity.blogspot.com/
Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.
In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.
Cheers
Chris