[jira] [Commented] (DERBY-6807) XXE attack possible by using XmlVTI and the XML datatype

Sun, 31 May 2015 17:53:43 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14566855#comment-14566855
 ] 

Bryan Pendleton commented on DERBY-6807:
----------------------------------------

The 'database not found' message in the derby.log file is normal. It is tricky 
to read the
Derby test results. The Derby test harness always uses a test database called 
'Wombat',
and the harness starts by attempting to delete any old copy of the test 
database before
it begins the new tests. In your case, since you are running the tests on a 
clean working
directory (junit-single always does this), there is no old copy of the test 
database so
the 'Wombat' not found is totally normal.

The more interesting output is in the 'error-stacktrace.out'. When I run your 
test, I get
an error that I am attaching as 'error-stacktrace.out'. Note that the test's 
attempt to
get the XML parser to access a system file has been detected and prevented by 
the
system security manager, which has returned a error exception:
   AccessControlException: access denied ("java.util.PropertyPermission" 
"user.dir" "read")

Again, as I did in DERBY-6810, I made an experimental modification to 
SqlXmlUtils.java
to enable FEATURE_SECURE_PROCESSING, and I detected no change in the
behavior of the test.

I think this means, that, for the test to demonstrate the XXE vulnerability, we 
will need
to disable the Java Security Manager that normally runs with the test.

Can you have a look in your 'error-stacktrace.out' and see if your results 
match mine?

> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
>                 Key: DERBY-6807
>                 URL: https://issues.apache.org/jira/browse/DERBY-6807
>             Project: Derby
>          Issue Type: Bug
>    Affects Versions: 10.11.1.1
>            Reporter: Rick Hillegas
>         Attachments: xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to 
> expose sensitive information or launch denial-of-service assaults. This issue 
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe 
> Arteau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to