Sun JRE / JDK bug introduces XXE possibilities

Credit: Chris Evans
Risk: Low
Local: Yes
Remote: Yes
CWE: CWE-264

CVSS Base Score: 7.8/10
Impact Subscore: 7.8/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Complete

Hi, Now that Sun has fixed this in JDK6u4, I thought this might be of interest to people: Essentially, one common XXE protection method was broken in the default XML parser, in JDK6. In particular, I'm worried about web services (and other server-side XML accepting technologies) deployed under JDK6. I haven't had time to look into common web service frameworks and see how they implement XXE protection. Might be interesting to look into specific technologies that broke. Cheers Chris

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top