Last Updated: 2009-08-08 17:30:56 UTC
by Guy Bruneau (Version: 1)
We have received reports that several vulnerabilities have been discovered in XML library implementations when parsing XML data. These vulnerabilities were reported by Codenomicon Labs to CERT-FI which has been the main contact point with vendors to coordinate the remediation of these vulnerabilities. According to the CERT-FI advisory, if the application remains unpatched, the program can access memory out of bounds or can loop indefinitely leading to a denial of service and potentially code execution.
According to Codenomicon Labs, any applications using XML maybe affected and have different flaws. Python is currently working on a fix while Sun has issued an update and Apache has made a patch available.
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org
Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September
Last Updated: 2009-08-08 01:25:31 UTC
by Kevin Liston (Version: 1)
According to sun: "Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is the single solution for Web access management, federation, and Web services security." This doesn't affect every network out there, but the larger outfits might be running it, and should responding to this.
Sun recently published advisories addressing three vulnerabilities ranging from Denial of Service to execution of arbitrary code.
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Base CVSS 10.0
Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.
Base CVSS 7.8
Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.
Base CVSS 10.0
Note: In common with all of these CVEs is libxml2 2.7.x.
CVE-2008-3529, originally released September 2008, affects a lot of platforms. Exploit code exists targeting Mac OSX which was patched back in May 2009.
While re-using code via libraries offers efficiencies in development and distribution of a technology, it also amplifies the impact of a vlunerability identified in said library. It may be trivial to patch the issue in the library code, but that often requires many other applications to be rebuilt or relinked. Often times these applications are home-grown and not maintained by large development teams. Even organizations that have a group to manage vulnerabilities woudl be hard pressed to track the use of libraries in all of their in-house applications.
I won't be surprised if we see these CVEs pop up again over the next couple of years. The true impact of the vulnerability lies with the application that's calling it. In the case of Sun OpenSSO this can have some serious implications. You know the drill.