You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Tal Maayani <ta...@amdocs.com> on 2010/08/02 16:00:29 UTC
DTD based XML attacks - refering to Apache CXF Security Advisory
(CVE-2010-2076)
Hi,
According to your advice, in order to block DTD based XML attack one need to either use CXF version 2.2.9 or replace the default xml parser.
Can you please explain how to replace the xml parser when using REST service.
Thanks,
Tal Maayani
Office: 972-9-776-3883
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at http://www.amdocs.com/email_disclaimer.asp
Re: DTD based XML attacks - refering to Apache CXF Security
Advisory (CVE-2010-2076)
Posted by oferdit <of...@amdocs.com>.
First we tried to use the staxiniterceptor in order to register the
XMLInputFactory which is mentioned in the advisory document. but we had some
problems with JSON requests and encoding of utf-8 messages. so what we have
done is to extend jaxbelementprovider as you mention.
--
View this message in context: http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2635632.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: DTD based XML attacks - refering to Apache CXF Security Advisory (CVE-2010-2076)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
apologies for a delay...
Sergey Beryozkin-5 wrote:
> >
> > Hi
> >
> > On Mon, Aug 2, 2010 at 3:00 PM, Tal Maayani <ta...@amdocs.com>
> > wrote:
> >
> >> Hi,
> >>
> >> According to your advice, in order to block DTD based XML attack one
> need
> >> to either use CXF version 2.2.9 or replace the default xml parser.
> >>
> >> there is an issue with (JAXRS) SourceProvider in 2.2.9 which I missed.
> >> But
> > this provider is optional. As far as I know Dan has done some refactoring
> > in
> > 2.2.10-SNAPSHOT which also helped to fix the SourceProvider issue.
> >
> >
> >> Can you please explain how to replace the xml parser when using REST
> >> service.
> >>
> >
> > are you using JAXB in your JAXRS services ?
> >
> >
>
> We use JAXB in our services.
>
>
JAXBElementProvider delegates by default to the JAXB runtime, without
dealing explicitly with parsers.
However it also checks if either XMLStreamReader or XMLInputFactory is
available on the current message and if yes then either reuse the reader or
will ask the factory to create the one. The only limitation there is that
JAXBElementProvider does not check a message contextual property so one
would need to register a custom reader/factory from either a cxf interceptor
or RequestHandler filter.
Alternatively JAXBElementProvider can be extended and its createStreamReader
method be overridden.
thanks, Sergey
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2268798.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
Re: DTD based XML attacks - refering to Apache CXF Security
Advisory (CVE-2010-2076)
Posted by oferdit <of...@amdocs.com>.
Sergey Beryozkin-5 wrote:
>
> Hi
>
> On Mon, Aug 2, 2010 at 3:00 PM, Tal Maayani <ta...@amdocs.com>
> wrote:
>
>> Hi,
>>
>> According to your advice, in order to block DTD based XML attack one need
>> to either use CXF version 2.2.9 or replace the default xml parser.
>>
>> there is an issue with (JAXRS) SourceProvider in 2.2.9 which I missed.
>> But
> this provider is optional. As far as I know Dan has done some refactoring
> in
> 2.2.10-SNAPSHOT which also helped to fix the SourceProvider issue.
>
>
>> Can you please explain how to replace the xml parser when using REST
>> service.
>>
>
> are you using JAXB in your JAXRS services ?
>
>
We use JAXB in our services.
--
View this message in context: http://cxf.547215.n5.nabble.com/DTD-based-XML-attacks-refering-to-Apache-CXF-Security-Advisory-CVE-2010-2076-tp2261760p2268798.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: DTD based XML attacks - refering to Apache CXF Security Advisory
(CVE-2010-2076)
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On Mon, Aug 2, 2010 at 3:00 PM, Tal Maayani <ta...@amdocs.com> wrote:
> Hi,
>
> According to your advice, in order to block DTD based XML attack one need
> to either use CXF version 2.2.9 or replace the default xml parser.
>
> there is an issue with (JAXRS) SourceProvider in 2.2.9 which I missed. But
this provider is optional. As far as I know Dan has done some refactoring in
2.2.10-SNAPSHOT which also helped to fix the SourceProvider issue.
> Can you please explain how to replace the xml parser when using REST
> service.
>
are you using JAXB in your JAXRS services ?
cheers, Sergey
>
> Thanks,
> Tal Maayani
>
> Office: 972-9-776-3883
>
>
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
> you may review at http://www.amdocs.com/email_disclaimer.asp
>