On Thursday 17 June 2010 11:17:13 pm Nikolay Elenkov wrote: > Apparently 2.2.7 has the Woodstox parser as a dependency, and for the above > request that gives a (on Tomcat 5.5) > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > <soap:Body> > <soap:Fault> > <faultcode>soap:Client</faultcode> > <faultstring>Error reading XMLStreamReader.</faultstring> > </soap:Fault> > </soap:Body> > </soap:Envelope> > > With the cause exception: > > Caused by: com.ctc.wstx.exc.WstxParsingException: Received event DTD, > instead of START_ELEMENT or END_ELEMENT. > > So I guess we are safe. Anyone that built using Maven should get the same, > so it should be mostly OK? Unless of course their appserver ignores the > bundled parser and uses the system one for some reason.
Well, I'm still not sure if the section 5.2 vulnerability isn't still an issue. In this case, did Woodstox parse the DTD (and thus hit the google URL) before returning the DTD event. I don't know. You would need to wireshark or something to see if a URL connection is going out to google. ..... Actually, just tried it. With woodstox as the parser, I don't see any outgoing requests. With the parser built into the JDK, I do. (with 2.2.8 and earlier) With the new CXF releases, I don't see any outgoing hits with either parser. Thus, for SOAP endpoints, if you are 100% sure you are using Woodstox, then you shouldn't be vulnerable. As you said, by default, our maven deps pull in woodstox so hopefully most people are OK. Upgrading is still strongly recommended to be sure though. -- Daniel Kulp [email protected] http://dankulp.com/blog
