My understanding is that the bug has to do with the presence of untrusted XML parsing implementations of the DocumentBuilder interface in a JVM, which implies that you don't control the code in your JVM, or you are tremdendously unwisely mixing code that "matters" with code managed by somebody else you don't trust.
-- Scott
