[
https://issues.apache.org/jira/browse/DERBY-6807?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14630580#comment-14630580
]
ASF subversion and git services commented on DERBY-6807:
--------------------------------------------------------
Commit 1691461 from [~bryanpendleton] in branch 'code/trunk'
[ https://svn.apache.org/r1691461 ]
DERBY-6807: XXE attack possible by using XmlVTI and the XML datatype
I believe that, when a Java Security Manager is in place, the XML Parser
instantiated by SqlXmlUtil obeys the policies defined by that security
manager, and hence is not vulnerable to XXE attacks (in the sense that
the only attacks that will succeed are those which are permitted by the
security policy).
But when a Java Security Manager is not in place, the SqlXmlUtil code
could be more secure.
This change modifies SqlXmlUtil so that it can detect that there is no
active Security Manager, and, if so, it now disables external entity
expansion and enables FEATURE_SECURE_PROCESSING.
> XXE attack possible by using XmlVTI and the XML datatype
> --------------------------------------------------------
>
> Key: DERBY-6807
> URL: https://issues.apache.org/jira/browse/DERBY-6807
> Project: Derby
> Issue Type: Bug
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: error-stacktrace.out, externalGeneralEntities.diff,
> secureXmlVTI.diff, sqlxmlutil.diff, xmltest.diff
>
>
> The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to
> expose sensitive information or launch denial-of-service assaults. This issue
> has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe
> Arteau.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
