[ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14599453#comment-14599453 ]
Bryan Pendleton commented on DERBY-6807: ---------------------------------------- I believe that using a properly-configured Java Security Manager policy prevents all of the XXE attacks. However, it is possible to configure Derby to run without a Java Security Manager (though that is a non-default configuration). We could, potentially, change our invocation of the XML parser by adding either: dBF.setFeature( "http://xml.org/sax/features/external-general-entities", false ); or dBF.setAttribute( "http://apache.org/xml/features/disallow-doctype-decl", true ); However, either of these changes would potentially break legitimate use of those XML parser features (external general entities and DOCTYPE declarations) in some existing Derby application which has a properly configured Security Manager and hence is not currently vulnerable to XXE attacks. I don't know of any such applications, and such applications are at indirect risk because if they should at some point be changed to no longer have the Security Manager protections, they would become vulnerable in a subtle way. tl;dr: I think that adding dBF.setFeature( "http://xml.org/sax/features/external-general-entities", false ); to the Derby code would increase its security at the risk of potentially breaking some applications. > XXE attack possible by using XmlVTI and the XML datatype > -------------------------------------------------------- > > Key: DERBY-6807 > URL: https://issues.apache.org/jira/browse/DERBY-6807 > Project: Derby > Issue Type: Bug > Affects Versions: 10.11.1.1 > Reporter: Rick Hillegas > Attachments: error-stacktrace.out, externalGeneralEntities.diff, > xmltest.diff > > > The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to > expose sensitive information or launch denial-of-service assaults. This issue > has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe > Arteau. -- This message was sent by Atlassian JIRA (v6.3.4#6332)