[ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14604330#comment-14604330 ]
Bryan Pendleton commented on DERBY-6807: ---------------------------------------- I propose to do the following to resolve this issue: 1) Modify XmlVTI and SqlXmlUtils to perform dBF.setFeature( "http://xml.org/sax/features/external-general-entities", false ); 2) Modify the XXE regression tests to demonstrate the new, not vulnerable, behavior. 3) Write a release note alerting the community to the fact that Derby's XML parsing logic will no longer allow any expansion of external general entities, and noting that any applications which rely on this behavior will need to be modified. Note that I do NOT propose to make the first change configurable, it will be unconditional. We may need to revisit this decision if it proves undesirable in the broader community, but I'd rather start by solidly closing the security hole and then seeing what response we get. > XXE attack possible by using XmlVTI and the XML datatype > -------------------------------------------------------- > > Key: DERBY-6807 > URL: https://issues.apache.org/jira/browse/DERBY-6807 > Project: Derby > Issue Type: Bug > Affects Versions: 10.11.1.1 > Reporter: Rick Hillegas > Attachments: error-stacktrace.out, externalGeneralEntities.diff, > xmltest.diff > > > The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to > expose sensitive information or launch denial-of-service assaults. This issue > has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe > Arteau. -- This message was sent by Atlassian JIRA (v6.3.4#6332)