[
https://issues.apache.org/jira/browse/OOZIE-2489?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
abhishek bafna updated OOZIE-2489:
----------------------------------
Fix Version/s: (was: trunk)
4.3.0
> XML parsing is vulnerable
> -------------------------
>
> Key: OOZIE-2489
> URL: https://issues.apache.org/jira/browse/OOZIE-2489
> Project: Oozie
> Issue Type: Bug
> Affects Versions: 4.1.0
> Reporter: Ferenc Denes
> Assignee: Ferenc Denes
> Labels: security, xml
> Fix For: 4.3.0
>
> Attachments: OOZIE-2489-1.patch, OOZIE-2489-2.patch,
> OOZIE-2489-3.patch
>
>
> The XML parsing has some security problems:
> XML External Entity attack:
> XML External Entities attacks benefit from an XML feature to build documents
> dynamically at the time of processing. An XML entity allows inclusion of data
> dynamically from a given resource. External entities allow an XML document to
> include data from an external URI. Unless configured to do otherwise,
> external entities force the XML parser to access the resource specified by
> the URI, e.g., a file on the local machine or on a remote system. This
> behavior exposes the application to XML External Entity (XXE) attacks, which
> can be used to perform denial of service of the local system, gain
> unauthorized access to files on the local machine, scan remote machines, and
> perform denial of service of remote systems.
> The following XML document shows an example of an XXE attack.
> <?xml version="1.0" encoding="ISO-8859-1"?>
> <!DOCTYPE foo [
> <!ELEMENT foo ANY >
> <!ENTITY xxe SYSTEM "file:///dev/random" >]><foo>&xxe;</foo>
> This example could crash the server (on a UNIX system), if the XML parser
> attempts to substitute the entity with the contents of the /dev/random file.
> XML Entity Expansion injection also known as XML Bombs are DoS attacks that
> benefit from valid and well-formed XML blocks that expand exponentially until
> they exhaust the server allocated resources. XML allows to define custom
> entities which act as string substitution macros. By nesting recurrent entity
> resolutions, an attacker can easily crash the server resources.
> The following XML document shows an example of an XML Bomb.
> <?xml version="1.0"?>
> <!DOCTYPE lolz [
> <!ENTITY lol "lol">
> <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
> <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
> <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
> <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
> <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
> ]>
> <lolz>&lol9;</lolz>
> Both problems can be solved by setting features and parameters of the XML
> parser factories.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
