You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Bryan Pendleton (JIRA)" <ji...@apache.org> on 2015/07/11 17:18:04 UTC
[jira] [Updated] (DERBY-6807) XXE attack possible by using XmlVTI
and the XML datatype
[ https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bryan Pendleton updated DERBY-6807:
-----------------------------------
Attachment: secureXmlVTI.diff
Attached secureXmlVTI.diff is my proposed change to
make the XmlVTI secure against external entity attacks.
It does so by disabling external entity expansion entirely,
which is a loss in functionality, but a gain in security.
Since the Derby VTI interface is public and fully extensible
(see https://db.apache.org/derby/docs/10.11/devguide/cdevspecialtfbasic.html ),
anyone who wishes to have an XmlVTI which supports external
entity expansion can simply define their own.
But the built-in Derby XmlVTI will not, for security reasons.
> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
> Key: DERBY-6807
> URL: https://issues.apache.org/jira/browse/DERBY-6807
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: error-stacktrace.out, externalGeneralEntities.diff, secureXmlVTI.diff, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe Arteau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)