[jira] [Commented] (DERBY-6807) XXE attack possible by using XmlVTI and the XML datatype

Wed, 24 Jun 2015 06:59:54 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599453#comment-14599453
 ] 

Bryan Pendleton commented on DERBY-6807:
----------------------------------------

I believe that using a properly-configured Java Security Manager policy prevents
all of the XXE attacks. However, it is possible to configure Derby to run 
without
a Java Security Manager (though that is a non-default configuration).

We could, potentially, change our invocation of the XML parser by adding either:

    dBF.setFeature( "http://xml.org/sax/features/external-general-entities";, 
false );

or

    dBF.setAttribute( "http://apache.org/xml/features/disallow-doctype-decl";, 
true );

However, either of these changes would potentially break legitimate use of
those XML parser features (external general entities and DOCTYPE declarations)
in some existing Derby application which has a properly configured Security
Manager and hence is not currently vulnerable to XXE attacks.

I don't know of any such applications, and such applications are at indirect 
risk
because if they should at some point be changed to no longer have the
Security Manager protections, they would become vulnerable in a subtle way.

tl;dr: I think that adding dBF.setFeature( 
"http://xml.org/sax/features/external-general-entities";, false );
to the Derby code would increase its security at the risk of potentially 
breaking
some applications.

> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
>                 Key: DERBY-6807
>                 URL: https://issues.apache.org/jira/browse/DERBY-6807
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: error-stacktrace.out, externalGeneralEntities.diff, 
> xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to 
> expose sensitive information or launch denial-of-service assaults. This issue 
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe 
> Arteau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to