[DERBY-6807] XXE attack possible by using XmlVTI and the XML datatype - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 10.11.1.1
Fix Version/s: 10.12.1.1
Component/s: SQL
Labels:
None

Urgency:
Blocker
Issue & fix info:

Patch Available, Release Note Needed
Bug behavior facts:

Security

Description

The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe Arteau.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

xmltest.diff
31/May/15 22:53
2 kB
Abhinav Gupta
error-stacktrace.out
01/Jun/15 00:53
3 kB
Bryan Pendleton
externalGeneralEntities.diff
18/Jun/15 04:21
0.6 kB
Bryan Pendleton
secureXmlVTI.diff
11/Jul/15 15:17
2 kB
Bryan Pendleton
sqlxmlutil.diff
14/Jul/15 03:14
2 kB
Bryan Pendleton
releaseNote.html
18/Jul/15 18:11
1 kB
Bryan Pendleton

Issue Links

is related to

DERBY-2131 External DTD files are accessed without a privileged block when Derby parses XML values that reference such DTDs.

Closed

DERBY-1758 Enable xmlSuite to run as part of derbyall in environments that have the required external jars.

Closed

JCR-4186 Use current Derby version

Closed

Sub-Tasks

1.	Add regression tests for XXE vulnerability	Closed	Abhinav Gupta
2.	Improve error handling in XmlVTI	Closed	Bryan Pendleton
3.	Include XMLOptimizerTraceTest in XMLSuite	Closed	Unassigned

Activity

People

Assignee:: Bryan Pendleton

Reporter:: Richard N. Hillegas

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 05/May/15 19:57

Updated:: 16/Oct/17 16:58

Resolved:: 30/Aug/15 21:18