Researchers warn of XML library flaws

By Tom Espiner, ZDNet UK
Friday, August 07, 2009 11:08 AM

Open-source code used in a number of different devices by many public- and private-sector organizations is vulnerable to attack, the Finnish computer emergency response team has warned.

The flaws lie in extensible mark-up language (XML), the specification that underlies many code libraries, said the Finnish computer emergency response team (Cert-FI).

Finnish security firm Codenomicon discovered the problems by bombarding XML with unexpected inputs, a process called fuzzing. This led to Cert-FI warning in an advisory on Thursday that XML libraries were susceptible to denial-of-service attacks, and that multiple open-source software libraries were potentially vulnerable to hacking.

Affected sectors include banking, manufacturing, retail, healthcare, government and critical national infrastructure, said Codenomicon in a document explaining its fuzzing work.

Potential targets include servers and server applications, workstations and end-user applications, network devices, embedded systems and mobile devices, said the Cert-FI advisory. Affected libraries include Python libexpat, all versions of Apache Xerces, Sun JDK and JRE 6 Update 14 and earlier, and Sun JDK and JRE 5.0 Update 19 and earlier.

According to Cert-FI, the vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting the file to a server that handles XML content.

Sun said in an advisory that the XML problems in Java, which affect Windows, Solaris and Linux, were resolved in Java SE and Java SE for Business releases JDK and JRE 6 Update 15 or later, and JDK and JRE 5.0 Update 20 or later. There are no workarounds for the issue for older versions, said Sun.

Apache Xerces was revised at the beginning of June in response to the XML parsing flaws. The Python team is currently working on a fix, said the Cert-FI advisory.

The article was first published as a blog post on CNET News.

0

0 votes

Save to My Library

Talkback 0 comments

There are currently no comments for this post.

Reply to story

Related Whitepapers

Featured Whitepapers

Tech Jobs Now!

TechGuides

Specials
News and Interviews
Whiteboard

UOB banks on economic downturn
Singapore bank's IT chief Susan Hwee explains how financial crisis offers new opportunities to reengineer
Play video
Domino's Pizza keeps customers eating
CEO Don Meij discusses strategy to grow customer base
Play video

Salesforce CEO chatters about new social media platform
Facebook-type app hits the enterprise
Play video
Salesforce demos Service Cloud 2
New Web-based tools for customer service
Play video

Cost Effective, Secure and HA Server Infrastructure for SMBs
Alan Wan from Dell illustrates how small and medium businesses can build a high availability IT infrastructure without requiring heavy investments on skills and resources.
Play video
Enterprise 2.0
Vince Casarez, vice president of product management at Oracle, explains how Web 2.0 technologies, such as tags, wikis, and mash-ups, can be applied within an organization.
Play video