Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-6807

XXE attack possible by using XmlVTI and the XML datatype

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 10.11.1.1
    • 10.12.1.1
    • SQL
    • None
    • Blocker
    • Patch Available, Release Note Needed
    • Security

    Description

      The Derby XML datatype and XmlVTI can be exploited, via XXE-based attacks, to expose sensitive information or launch denial-of-service assaults. This issue has CVE id CVE-2015-1832. This issue was brought to our attention by Philippe Arteau.

      Attachments

        1. error-stacktrace.out
          3 kB
          Bryan Pendleton
        2. externalGeneralEntities.diff
          0.6 kB
          Bryan Pendleton
        3. releaseNote.html
          1 kB
          Bryan Pendleton
        4. secureXmlVTI.diff
          2 kB
          Bryan Pendleton
        5. sqlxmlutil.diff
          2 kB
          Bryan Pendleton
        6. xmltest.diff
          2 kB
          Abhinav Gupta

        Issue Links

          Activity

            People

              bryanpendleton Bryan Pendleton
              rhillegas Richard N. Hillegas
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: