Sun JRE / JDK bug introduces XXE possibilities

2008.02.06

Credit: Chris Evans

Risk: Low

Local: Yes

Remote: Yes

CVE: CVE-2008-0628

CWE: CWE-264

CVSS Base Score: 7.8/10

Impact Subscore: 7.8/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: Complete

Hi,
Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:
http://scarybeastsecurity.blogspot.com/
Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.
In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.
Cheers
Chris

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Sun JRE / JDK bug introduces XXE possibilities

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.