Vulnerabilities in different vendors XML parsers
The security service company Codenomicon has highlighted a weakness in the XML parser libraries from Sun Microsystems, the Apache Software Foundation and the Python Software Foundation and said that denial of service attacks were possible against applications which were based on these libraries. Codenomicon made the announcement of the problems in co-operation with the Finnish Computer Emergency Response Team (CERT-FI). More details on the vulnerability are available on the CERT-FI website.
The problem can occur when an application is parsing an XML file which has been prepared by attackers and contains unexpected byte values or recursive parentheses. This would typically cause the application to crash, but Codenomicon does not exclude the possibility that the hole could be used to inject code and execute it. Remote attackers could exploit the hole by attacking SOAP servers. The security service provider discovered the hole by testing the various XML parser libraries with specialised Fuzzing tools.
As XML is widely used to exchange structured data, Codenomicon notes that the vulnerability is particularly dangerous and advises developers to respond to the issues as soon as possible. Some companies and open source groups have already responded to the problem and recommend patches to close the hole.
- A Security Vulnerability in the Java Runtime Environment (JRE) With Parsing XML Data May Allow a Remote Client to Create a Denial of Service (DoS) Condition, an alert from Sun Microsystems.
- Apache SVN 781488, commit of patch for Xerces.
- Codenomicon Labs : XML Security and Fuzzing, an advisory from Codenomicon.