Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: XML Libraries Data Parsing Vulnerabilities SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
XML Libraries Data Parsing Vulnerabilities

We have received reports that several vulnerabilities have been discovered in XML library implementations when parsing XML data. These vulnerabilities were reported by Codenomicon Labs  to CERT-FI which has been the main contact point with vendors to coordinate the remediation of these vulnerabilities. According to the CERT-FI advisory, if the application remains unpatched, the program can access memory out of bounds or can loop indefinitely leading to a denial of service and potentially code execution.

According to Codenomicon Labs, any applications using XML maybe affected and have different flaws. Python is currently working on a fix while Sun has issued an update and Apache has made a patch available.

Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September


501 Posts
ISC Handler
Aug 8th 2009

Sign Up for Free or Log In to start participating in the conversation!