Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-6807

XXE attack possible by using XmlVTI and the XML datatype

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.11.1.1
    • Fix Version/s: 10.12.1.1
    • Component/s: SQL
    • Labels:
      None
    • Urgency:
      Blocker
    • Issue & fix info:
      Patch Available, Release Note Needed
    • Bug behavior facts:
      Security

      Description

      The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe Arteau.

        Attachments

        1. xmltest.diff
          2 kB
          Abhinav Gupta
        2. error-stacktrace.out
          3 kB
          Bryan Pendleton
        3. externalGeneralEntities.diff
          0.6 kB
          Bryan Pendleton
        4. secureXmlVTI.diff
          2 kB
          Bryan Pendleton
        5. sqlxmlutil.diff
          2 kB
          Bryan Pendleton
        6. releaseNote.html
          1 kB
          Bryan Pendleton

          Issue Links

            Activity

              People

              • Assignee:
                bryanpendleton Bryan Pendleton
                Reporter:
                rhillegas Richard N. Hillegas
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: