CESA-2007-002 - rev 2

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Sun JDK6 breaks XXE attack protection

Programs affected: JDK6 up to and including update 3
Fixed: JDK6 update 4
Unaffected: JDKs prior to 6
Severity: Parsing of untrusted XML may lead to file theft or network ACL bypass. Standard XXE threats.

Seems to be a bug introduced by this line in com.sun.org.apache.xerces.internal.impl.XMLEntityManager:

fExternalGeneralEntities = external;//ToDo :Venu

This effectively forces on the flag that would often be used by secure software to prevent XXE attacks. As a brief refresher, the following XML mounts an XXE attack, via the DTD, which attempts to open the /dev/tty file.
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///dev/tty"> ]>


CESA-2007-002 - rev 2
Chris Evans