[
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14623946#comment-14623946
]
Rick Hillegas commented on DERBY-6807:
--------------------------------------
Hi Bryan,
The secureXmlVTI.diff patch looks good to me. The XmlVTI is not part of the
public API. Right now the only user of this VTI is the optimizerTracing
optional tool. That tool is described on the Derby wiki but not in our Tools
Guide. The optimizerTracing tool doesn't rely on the entity processing which
your patch disables. So this patch should be safe. Thanks.
> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
> Key: DERBY-6807
> URL: https://issues.apache.org/jira/browse/DERBY-6807
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: error-stacktrace.out, externalGeneralEntities.diff,
> secureXmlVTI.diff, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to
> expose sensitive information or launch denial-of-service assaults. This issue
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe
> Arteau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
