[
https://issues.apache.org/jira/browse/AXIS2-6060?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17766557#comment-17766557
]
Robert Lazarski commented on AXIS2-6060:
----------------------------------------
An XXE attack is by definition DTD only and not relevant to XML schemas,
correct?
SOAP disallows DTD's. So I am not even sure an XXE attack in Axis2 is even
theoretically possible.
Furthermore, the axis2 codegen module is a client side tool set that doesn't
run on the server.
There are well documented code tweaks on the
{color:#000000}DocumentBuilderFactory class to prevent XXE attacks, however I
fail to see the need for it. {color}
> [Axis2]Security Vulnerability - Action Required: XXE vulnerability in the
> newest version of org.apache.axis2:axis2
> ------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-6060
> URL: https://issues.apache.org/jira/browse/AXIS2-6060
> Project: Axis2
> Issue Type: Bug
> Components: codegen, wsdl
> Affects Versions: 1.8.0
> Reporter: Yiheng Cao
> Priority: Major
>
> The vulnerability is present in the class
> org.apache.axis2.wsdl.codegen.extension.JAXBRIExtension of method
> getNamespaceAwareDocumentBuilder() , which is responsible for getting a
> DocumentBuilder object that supports namespace resolution. The vulnerable
> call chain we discover is: *engage(CodeGenConfiguration
> configuration)→loadAdditionalSchemas()→getNamespaceAwareDocumentBuilder().*
> Given that the XML schema files stored in the
> /org/apache/axis2/wsdl/codegen/schema/ which is compromised by a hacker, the
> victim conducts regular process which incorporates the execution of method
> engage(), resulting in an XML External Entity (XXE) Injection attack.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
