You are viewing a plain text version of this content. The canonical link for it is here.
Posted to j-users@xerces.apache.org by Jeffrey Sinclair <je...@cooljeff.co.uk> on 2009/08/10 23:18:53 UTC
Denial of service with Xerces?
j-users,
There was a vulnerability report relating to a denial of service attack
with Xerces recently [1]. The vulnerability report does not appear to go
into much detail, however the link [2] to the C++ impl of Xerces would
suggest it relates to nested DTD structures (I assume infinite
recursion).
The report lists all versions of Apache Xerces as being impacted. Would
someone be able to confirm if there is an issue with Xerces for Java and
if so what the actual issue is?
Thanks in advance for any help.
Regards,
Jeff
[1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
[2] http://svn.apache.org/viewvc?view=rev&revision=781488
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Elliotte,
Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/11/2009 09:56:12 AM:
> On Mon, Aug 10, 2009 at 3:06 PM, Michael
> Glavassevich<mr...@ca.ibm.com> wrote:
> > Hi Jeff,
> >
> > The specific problem reported to Apache only applied to Apache Xerces C
++.
> > Xerces-J does not have the bug that was fixed in the C++ impl.
> >
> > As a side note, for applications which do not want to trust documents
> > containing DTDs there's been a feature [1] available in Xerces-J for
years
> > which will block them. There's also the JAXP secure processing feature
[2]
> > which folks should also be enabling if they're concerned about DoS
attacks.
> >
> > Thanks.
> >
> > [1]
http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> > [2]
> > http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
>
> http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> simply rejects documents containing DOCTYPEs. That might or might not
> block the attack, depending on whether the parser actually tries to
> parse the DTD before throwing the error. I would hope it throws the
> error as soon as it sees <!DOCTYPE, in which case it's likely safe.
> However it is exceedingly draconian.
The fatal error is reported (and exception is thrown) immediately after
parsing "<!DOCTYPE". It doesn't go any further.
SOAP messages in particular do not allow DOCTYPEs, so would expect
applications which process those to be enabling this feature. I'm sure
there are other appropriate uses though obviously not a solution for
everyone.
> There aren't a lot of details on the attack yet, but from what little
> has been released I doubt
> http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> would have any effect on this.
I never said it did. I was making a general statement.
> That feature protects against parsers
> following the spec, and expanding entity references. It sounds like
> the problem here is a failure to follow the spec, and blowing up on
> malformed, recursive entity declarations; though, as I said, I'm only
> guessing about that.
This feature does whatever an implementation feels it needs to to protect
itself and that could include imposing limits on anything not just entity
expansion. Sure, Xerces only checks a couple things today when you turn
that feature on but it might check more things in the future and if you're
not setting it you won't get that protection.
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org
Thanks.>
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Re: Denial of service with Xerces?
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
On Mon, Aug 10, 2009 at 3:06 PM, Michael
Glavassevich<mr...@ca.ibm.com> wrote:
> Hi Jeff,
>
> The specific problem reported to Apache only applied to Apache Xerces C++.
> Xerces-J does not have the bug that was fixed in the C++ impl.
>
> As a side note, for applications which do not want to trust documents
> containing DTDs there's been a feature [1] available in Xerces-J for years
> which will block them. There's also the JAXP secure processing feature [2]
> which folks should also be enabling if they're concerned about DoS attacks.
>
> Thanks.
>
> [1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> [2]
> http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
simply rejects documents containing DOCTYPEs. That might or might not
block the attack, depending on whether the parser actually tries to
parse the DTD before throwing the error. I would hope it throws the
error as soon as it sees <!DOCTYPE, in which case it's likely safe.
However it is exceedingly draconian.
There aren't a lot of details on the attack yet, but from what little
has been released I doubt
http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
would have any effect on this. That feature protects against parsers
following the spec, and expanding entity references. It sounds like
the problem here is a failure to follow the spec, and blowing up on
malformed, recursive entity declarations; though, as I said, I'm only
guessing about that.
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Jeff,
Jeffrey Sinclair <je...@cooljeff.co.uk> wrote on 08/11/2009 03:38:23 PM:
> Michael,
>
> I followed up with the cert.fi group, who posted the vulnerability, to
> clarify the impact they mentioned in the Java implementations. As you
> pointed out, the DOS issue with Xerces-C is different. On the Java side
> they were specifically refering to bad characters in the DTD which can
> result in an infinite loop. This appears to have been patched recently
> in Xerces-J [1]. I also received a mail outside of the group
> re-iterating what cert.fi told me (thanks to Steve Jones).
>
> Could you confirm that the check-in to the XMLScanner [1] was intended
> to fix this vulnerability? Also are there any plans for a 2.9.2 to be
> released to resolve this?
It likely fixes the same issue. The next release is 2.10.0. It's been in
the queue for awhile and would like to see it come out some time before the
end of the year. Users of earlier releases should be able to work around it
by enabling (if appropriate for their application) the "
disallow-doctype-decl" feature I mentioned.
Thanks.
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Re: Denial of service with Xerces?
Posted by Jeffrey Sinclair <je...@cooljeff.co.uk>.
Michael,
I followed up with the cert.fi group, who posted the vulnerability, to
clarify the impact they mentioned in the Java implementations. As you
pointed out, the DOS issue with Xerces-C is different. On the Java side
they were specifically refering to bad characters in the DTD which can
result in an infinite loop. This appears to have been patched recently
in Xerces-J [1]. I also received a mail outside of the group
re-iterating what cert.fi told me (thanks to Steve Jones).
Could you confirm that the check-in to the XMLScanner [1] was intended
to fix this vulnerability? Also are there any plans for a 2.9.2 to be
released to resolve this?
Elliotte,
As Michael pointed out, my comment around the JDK JAXP impl not being
Xerces was because it is kind of forked. Personally I don't recommend
that the JAXP impl bundled in the JDK be used in our enterprise
environment for two main reasons. Firstly, in the past, it has lagged
behind the current Xerces-J version which results in bug fixes taking
time to be 'back ported'. Secondly, there have been discrepancies in
behaviour in the past which makes it very hard to switch JVM vendors
with the expectation that the JAXP stack will work as expected.
Having said this, this specific vulnerability looks to have been fixed
as of Sun Java 1.6.0_15 and Sun 1.5.0_20 [2].
[1] http://marc.info/?l=xerces-cvs&m=124569778024398&w=2
[2] http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
Regards,
Jeff
On Tue, 2009-08-11 at 12:13 -0400, Michael Glavassevich wrote:
> Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/11/2009
> 09:51:56 AM:
>
> > On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey
> Sinclair<je...@cooljeff.co.uk> wrote:
> > > Thanks Michael.
> > >
> > > I'm going to see if I can provide feedback to cert.fi. Their
> original
> > > vulnerability report suggests that it is a Java problem too. Not
> only
> > > have they listed 'all' versions of Xerces but they have also
> listed the
> > > JAXP impl bundled in the JDK (which I know is no longer Xerces).
> > >
> >
> > Really? Since when. I know it used to be Xerces, and I thought it
> > still was (modulo Sun patches and repackaging). In what version did
> > this change?
>
> I think Jeff was referring to the amount of forking which Sun has done
> to Xerces. At this point I believe what they ship is very different
> than Apache Xerces. I'm not sure how folks got the impression that
> it's just "patches". I understand that they did significant
> development and re-architecture to accommodate StAX, work which has
> never made its way into the Apache codebase. Ditto for what was in
> Java 5 (for JAXP 1.3), also released by Sun before Xerces ever had
> those capabilities.
>
> > --
> > Elliotte Rusty Harold
> > elharo@ibiblio.org
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-users-help@xerces.apache.org
>
> Thanks.
>
> Michael Glavassevich
> XML Parser Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Elliotte Rusty Harold <el...@ibiblio.org> wrote on 08/11/2009 09:51:56 AM:
> On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey Sinclair<je...@cooljeff.co.uk>
wrote:
> > Thanks Michael.
> >
> > I'm going to see if I can provide feedback to cert.fi. Their original
> > vulnerability report suggests that it is a Java problem too. Not only
> > have they listed 'all' versions of Xerces but they have also listed the
> > JAXP impl bundled in the JDK (which I know is no longer Xerces).
> >
>
> Really? Since when. I know it used to be Xerces, and I thought it
> still was (modulo Sun patches and repackaging). In what version did
> this change?
I think Jeff was referring to the amount of forking which Sun has done to
Xerces. At this point I believe what they ship is very different than
Apache Xerces. I'm not sure how folks got the impression that it's just
"patches". I understand that they did significant development and
re-architecture to accommodate StAX, work which has never made its way into
the Apache codebase. Ditto for what was in Java 5 (for JAXP 1.3), also
released by Sun before Xerces ever had those capabilities.
> --
> Elliotte Rusty Harold
> elharo@ibiblio.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org
Thanks.
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Re: Denial of service with Xerces?
Posted by Elliotte Rusty Harold <el...@ibiblio.org>.
On Mon, Aug 10, 2009 at 10:44 PM, Jeffrey Sinclair<je...@cooljeff.co.uk> wrote:
> Thanks Michael.
>
> I'm going to see if I can provide feedback to cert.fi. Their original
> vulnerability report suggests that it is a Java problem too. Not only
> have they listed 'all' versions of Xerces but they have also listed the
> JAXP impl bundled in the JDK (which I know is no longer Xerces).
>
Really? Since when. I know it used to be Xerces, and I thought it
still was (modulo Sun patches and repackaging). In what version did
this change?
--
Elliotte Rusty Harold
elharo@ibiblio.org
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Hi Jeff,
>From reading CERT-FI's report it's apparent that Sun fixed something in
their JDK but as you probably know what they ship is based off of a fork of
Xerces (many years old now) that they've done all sorts of development on.
It's possible that we've fixed whatever they fixed already (though possibly
not released yet since we haven't had a release in a couple years
ourselves) or that it was a bug unique to their fork. Hard to say without
the details.
Thanks.
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Jeffrey Sinclair <je...@cooljeff.co.uk> wrote on 08/11/2009 01:44:53 AM:
> Thanks Michael.
>
> I'm going to see if I can provide feedback to cert.fi. Their original
> vulnerability report suggests that it is a Java problem too. Not only
> have they listed 'all' versions of Xerces but they have also listed the
> JAXP impl bundled in the JDK (which I know is no longer Xerces).
>
> Jeff
>
> On Mon, 2009-08-10 at 18:06 -0400, Michael Glavassevich wrote:
> > Hi Jeff,
> >
> > The specific problem reported to Apache only applied to Apache Xerces
> > C++. Xerces-J does not have the bug that was fixed in the C++ impl.
> >
> > As a side note, for applications which do not want to trust documents
> > containing DTDs there's been a feature [1] available in Xerces-J for
> > years which will block them. There's also the JAXP secure processing
> > feature [2] which folks should also be enabling if they're concerned
> > about DoS attacks.
> >
> > Thanks.
> >
> > [1]
> > http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> > [2]
> > http://xerces.apache.org/xerces2-
> j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
> >
> > Michael Glavassevich
> > XML Parser Development
> > IBM Toronto Lab
> > E-mail: mrglavas@ca.ibm.com
> > E-mail: mrglavas@apache.org
> >
> > Jeffrey Sinclair <je...@cooljeff.co.uk> wrote on 08/10/2009 05:18:53
> > PM:
> >
> > > j-users,
> > >
> > > There was a vulnerability report relating to a denial of service
> > attack
> > > with Xerces recently [1]. The vulnerability report does not appear
> > to go
> > > into much detail, however the link [2] to the C++ impl of Xerces
> > would
> > > suggest it relates to nested DTD structures (I assume infinite
> > > recursion).
> > >
> > > The report lists all versions of Apache Xerces as being impacted.
> > Would
> > > someone be able to confirm if there is an issue with Xerces for Java
> > and
> > > if so what the actual issue is?
> > >
> > > Thanks in advance for any help.
> > >
> > > Regards,
> > >
> > > Jeff
> > >
> > > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> > > [2] http://svn.apache.org/viewvc?view=rev&revision=781488
> > >
> > >
> > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > > For additional commands, e-mail: j-users-help@xerces.apache.org
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Jeffrey Sinclair <je...@cooljeff.co.uk>.
Thanks Michael.
I'm going to see if I can provide feedback to cert.fi. Their original
vulnerability report suggests that it is a Java problem too. Not only
have they listed 'all' versions of Xerces but they have also listed the
JAXP impl bundled in the JDK (which I know is no longer Xerces).
Jeff
On Mon, 2009-08-10 at 18:06 -0400, Michael Glavassevich wrote:
> Hi Jeff,
>
> The specific problem reported to Apache only applied to Apache Xerces
> C++. Xerces-J does not have the bug that was fixed in the C++ impl.
>
> As a side note, for applications which do not want to trust documents
> containing DTDs there's been a feature [1] available in Xerces-J for
> years which will block them. There's also the JAXP secure processing
> feature [2] which folks should also be enabling if they're concerned
> about DoS attacks.
>
> Thanks.
>
> [1]
> http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
> [2]
> http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
>
> Michael Glavassevich
> XML Parser Development
> IBM Toronto Lab
> E-mail: mrglavas@ca.ibm.com
> E-mail: mrglavas@apache.org
>
> Jeffrey Sinclair <je...@cooljeff.co.uk> wrote on 08/10/2009 05:18:53
> PM:
>
> > j-users,
> >
> > There was a vulnerability report relating to a denial of service
> attack
> > with Xerces recently [1]. The vulnerability report does not appear
> to go
> > into much detail, however the link [2] to the C++ impl of Xerces
> would
> > suggest it relates to nested DTD structures (I assume infinite
> > recursion).
> >
> > The report lists all versions of Apache Xerces as being impacted.
> Would
> > someone be able to confirm if there is an issue with Xerces for Java
> and
> > if so what the actual issue is?
> >
> > Thanks in advance for any help.
> >
> > Regards,
> >
> > Jeff
> >
> > [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> > [2] http://svn.apache.org/viewvc?view=rev&revision=781488
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> > For additional commands, e-mail: j-users-help@xerces.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
For additional commands, e-mail: j-users-help@xerces.apache.org
Re: Denial of service with Xerces?
Posted by Michael Glavassevich <mr...@ca.ibm.com>.
Hi Jeff,
The specific problem reported to Apache only applied to Apache Xerces C++.
Xerces-J does not have the bug that was fixed in the C++ impl.
As a side note, for applications which do not want to trust documents
containing DTDs there's been a feature [1] available in Xerces-J for years
which will block them. There's also the JAXP secure processing feature [2]
which folks should also be enabling if they're concerned about DoS attacks.
Thanks.
[1] http://xerces.apache.org/xerces2-j/features.html#disallow-doctype-decl
[2]
http://xerces.apache.org/xerces2-j/javadocs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Michael Glavassevich
XML Parser Development
IBM Toronto Lab
E-mail: mrglavas@ca.ibm.com
E-mail: mrglavas@apache.org
Jeffrey Sinclair <je...@cooljeff.co.uk> wrote on 08/10/2009 05:18:53 PM:
> j-users,
>
> There was a vulnerability report relating to a denial of service attack
> with Xerces recently [1]. The vulnerability report does not appear to go
> into much detail, however the link [2] to the C++ impl of Xerces would
> suggest it relates to nested DTD structures (I assume infinite
> recursion).
>
> The report lists all versions of Apache Xerces as being impacted. Would
> someone be able to confirm if there is an issue with Xerces for Java and
> if so what the actual issue is?
>
> Thanks in advance for any help.
>
> Regards,
>
> Jeff
>
> [1] https://www.cert.fi/en/reports/2009/vulnerability2009085.html
> [2] http://svn.apache.org/viewvc?view=rev&revision=781488
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: j-users-unsubscribe@xerces.apache.org
> For additional commands, e-mail: j-users-help@xerces.apache.org