Saturday, February 2, 2008

Sun JDK6 XXE protection broken

Sun released JDK6u4 which fixes a possibly nasty issue where one of the XXE protection methods for the default XML parser was broken.

My advisory is at

Sun's advisory is at

Secunia picked it up at

Web services are obviously a key concern here. I haven't checked to see how the common web service frameworks do XXE protection. It's possible to ban DTDs outright, but I'd suspect more common would be to use the broken parser property

I'd love feedback on specific affected technologies.

1 comment:

Sonam Sen said...

Acesoftech is one of the leading Kolkata based website design company. The kolkata web design company provides high-quality, and professional services at affordable rates. We have clients from different parts of the world because of our quality works.Kolkata web design company