XML Libraries Data Parsing Vulnerabilities

Published: 2009-08-08
Last Updated: 2009-08-08 17:30:56 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

We have received reports that several vulnerabilities have been discovered in XML library implementations when parsing XML data. These vulnerabilities were reported by Codenomicon Labs  to CERT-FI which has been the main contact point with vendors to coordinate the remediation of these vulnerabilities. According to the CERT-FI advisory, if the application remains unpatched, the program can access memory out of bounds or can loop indefinitely leading to a denial of service and potentially code execution.

According to Codenomicon Labs, any applications using XML maybe affected and have different flaws. Python is currently working on a fix while Sun has issued an update and Apache has made a patch available.

CVE-2009-2625
Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
 

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot org

Teaching Comprehensive Packet Analysis in Ottawa, ON this coming September

Keywords: XML DOS Code Execution
0 comment(s)

Sun OpenSSO Enterprise/Sun Access Manager XML Vulnerabilities

Published: 2009-08-08
Last Updated: 2009-08-08 01:25:31 UTC
by Kevin Liston (Version: 1)
0 comment(s)

According to sun: "Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is the single solution for Web access management, federation, and Web services security."  This doesn't affect every network out there, but the larger outfits might be running it, and should responding to this.

Sun recently published advisories addressing three vulnerabilities ranging from Denial of Service to execution of arbitrary code.

CVE-2008-3529
Heap-based buffer overflow in the xmlParseAttValueComplex function in parser.c in libxml2 before 2.7.0 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a long XML entity name.
Base CVSS 10.0

CVE-2008-4225
Integer overflow in the xmlBufferResize function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (infinite loop) via a large XML document.
Base CVSS 7.8

CVE-2008-4226
Integer overflow in the xmlSAX2Characters function in libxml2 2.7.2 allows context-dependent attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a large XML document.
Base CVSS 10.0
 

Note: In common with all of these CVEs is libxml2 2.7.x.

CVE-2008-3529, originally released September 2008, affects a lot of platforms.  Exploit code exists targeting Mac OSX which was patched back in May 2009.

While re-using code via libraries offers efficiencies in development and distribution of a technology, it also amplifies the impact of a vlunerability identified in said library.  It may be trivial to patch the issue in the library code, but that often requires many other applications to be rebuilt or relinked.  Often times these applications are home-grown and not maintained by large development teams.  Even organizations that have a group to manage vulnerabilities woudl be hard pressed to track the use of libraries in all of their in-house applications. 

I won't be surprised if we see these CVEs pop up again over the next couple of years.  The true impact of the vulnerability lies with the application that's calling it.  In the case of Sun OpenSSO this can have some serious implications.  You know the drill.

Keywords: libxml2
0 comment(s)

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives