Sun released JDK6u4 which fixes a possibly nasty issue where one of the XXE protection methods for the default XML parser was broken.
My advisory is at http://scary.beasts.org/security/CESA-2007-002.html
Sun's advisory is at http://sunsolve.sun.com/search/document.do?assetkey=1-66-231246-1
Secunia picked it up at http://secunia.com/advisories/28746/
Web services are obviously a key concern here. I haven't checked to see how the common web service frameworks do XXE protection. It's possible to ban DTDs outright, but I'd suspect more common would be to use the broken parser property http://xml.org/sax/features/external-general-entities.
I'd love feedback on specific affected technologies.
No comments:
Post a Comment