Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: XML Libraries Data Parsing Vulnerabilities - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
XML Libraries Data Parsing Vulnerabilities

We have received reports that several vulnerabilities have been discovered in XML library implementations when parsing XML data. These vulnerabilities were reported by Codenomicon Labs  to CERT-FI which has been the main contact point with vendors to coordinate the remediation of these vulnerabilities. According to the CERT-FI advisory, if the application remains unpatched, the program can access memory out of bounds or can loop indefinitely leading to a denial of service and potentially code execution.

According to Codenomicon Labs, any applications using XML maybe affected and have different flaws. Python is currently working on a fix while Sun has issued an update and Apache has made a patch available.

CVE-2009-2625
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

Guy

427 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!