[ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Pendleton updated DERBY-6807: ----------------------------------- Attachment: secureXmlVTI.diff Attached secureXmlVTI.diff is my proposed change to make the XmlVTI secure against external entity attacks. It does so by disabling external entity expansion entirely, which is a loss in functionality, but a gain in security. Since the Derby VTI interface is public and fully extensible (see https://db.apache.org/derby/docs/10.11/devguide/cdevspecialtfbasic.html ), anyone who wishes to have an XmlVTI which supports external entity expansion can simply define their own. But the built-in Derby XmlVTI will not, for security reasons. > XXE attack possible by using XmlVTI and the XML datatype > -------------------------------------------------------- > > Key: DERBY-6807 > URL: https://issues.apache.org/jira/browse/DERBY-6807 > Project: Derby > Issue Type: Bug > Affects Versions: 10.11.1.1 > Reporter: Rick Hillegas > Attachments: error-stacktrace.out, externalGeneralEntities.diff, > secureXmlVTI.diff, xmltest.diff > > > The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to > expose sensitive information or launch denial-of-service assaults. This issue > has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe > Arteau. -- This message was sent by Atlassian JIRA (v6.3.4#6332)