XML Library Flaw — Sun, Apache, GNOME Affected

← Back to Stories (view on slashdot.org)

XML Library Flaw — Sun, Apache, GNOME Affected

Posted by Soulskill on Wednesday August 5, 2009 @04:27AM from the finding-fast-fixes-for-flaws dept.

bednarz writes with this excerpt from Network World: "Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."

7 of 140 comments (clear)

Min score:

Reason:

Sort:

Re:ASCII Delimited Security Issues by Z00L00K · 2009-08-05 04:40 · Score: 3, Informative

XML in itself is sometimes a denial of service with strange side-effects.
As soon as you insert XML that isn't well-formed into a XML parser it will barf in one way or another. And then you will have to dedicate hours to figure out which tag/data in a 200kB XML request that was the culprit. If you are lucky you get a parsing exception, if not you get a Null pointer exception or an infinite loop in the parser.

--
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Re:Open source by jpmorgan · 2009-08-05 04:44 · Score: 4, Informative

Someone will undoubtedly say that the bug being found was part of the process, since it's open source and that means the source is auditable by anybody. Reality: it was discovered by the maker of a fuzzing tool. Fuzzing is the process of sending garbage into software to see if it breaks... it works quite well and generally doesn't require the source code.

Also, fuzzing discovers DoSes. But many DoS attacks turn into vulnerabilities in the hands of a skilled hacker, and it's generally not safe to assume that a DoS is unexploitable without extensive code analysis.
Re:Open source by ChienAndalu · 2009-08-05 04:47 · Score: 3, Informative

Think "
I wonder if these vulnerabilites could have been found earlier if the code was open source."
Re:Article?? by Anonymous Coward · 2009-08-05 04:57 · Score: 2, Informative

I think they infact did it in very responsible way. If you read the CERT advisory and everything, it seems they have worked good part of the year with the industry and CERTs to make sure these problems are actually fixed before letting ppl know!
Re:And they said XML was easy to parse by Desler · 2009-08-05 05:19 · Score: 3, Informative

Except CSV isn't a standard.
The IETF might disagree with you.
Re:And they said XML was easy to parse by Timothy+Brownawell · 2009-08-05 05:28 · Score: 2, Informative

Except CSV isn't a standard.
The IETF might disagree with you.
"This memo provides information for the Internet community. It does not specify an Internet standard of any kind. "
Advisories released by Anonymous Coward · 2009-08-05 09:41 · Score: 2, Informative

CERT-FI advisory: https://www.cert.fi/en/reports/2009/vulnerability2009085.html
Sun advisory: http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1
CERT-FI advisory had a link to Codenomicon web page with some more details: http://www.codenomicon.com/labs/xml/