Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-13136

XML input vulnerability based on DTD declaration

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: None
    • Fix Version/s: 3.2.14, 4.1.7, 4.2 RC2
    • Component/s: OXM, Web
    • Security Level: Public
    • Labels:
      None
    • Last commented by a User:
      false

      Description

      If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.

        Issue Links

          Activity

          rstoya05-aop Rossen Stoyanchev created issue -
          rstoya05-aop Rossen Stoyanchev made changes -
          Field Original Value New Value
          Description If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must disabled the by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.
          Hide
          rstoya05-aop Rossen Stoyanchev added a comment -

          Reference to CVE report:
          http://pivotal.io/security/cve-2015-3192.

          Show
          rstoya05-aop Rossen Stoyanchev added a comment - Reference to CVE report: http://pivotal.io/security/cve-2015-3192 .
          rstoya05-aop Rossen Stoyanchev made changes -
          Status Open [ 1 ] Resolved [ 5 ]
          Resolution Complete [ 8 ]
          Hide
          rstoya05-aop Rossen Stoyanchev added a comment -

          Please note that there are additional considerations besides the fixes for this issue when using StAX. The details are in the CVE report referenced above.

          Show
          rstoya05-aop Rossen Stoyanchev added a comment - Please note that there are additional considerations besides the fixes for this issue when using StAX. The details are in the CVE report referenced above.
          rstoya05-aop Rossen Stoyanchev made changes -
          Summary XML vulnerability based on DTD declaration XML input vulnerability based on DTD declaration
          sbrannen Sam Brannen made changes -
          Description If DTD is not entirely disabled, inline DTD declarations can be used to perform Denial of Service attacks known as XML bombs. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must disabled the by setting the disallow-doctype-dec feature in the DOM and SAX APIs to true and by setting the supportDTD property in the StAX API to false.
          If DTD is not entirely disabled, inline DTD declarations can be used to perform _Denial of Service_ attacks known as _XML bombs_. Such declarations are both well-formed and valid according to XML schema rules but when parsed can cause out of memory errors. To protect against this kind of attack DTD support must be disabled by setting the {{disallow-doctype-dec}} feature in the DOM and SAX APIs to {{true}} and by setting the {{supportDTD}} property in the StAX API to {{false}}.
          snicoll St├ęphane Nicoll made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          rstoya05-aop Rossen Stoyanchev made changes -
          Resolution Complete [ 8 ]
          Status Closed [ 6 ] Reopened [ 4 ]
          rstoya05-aop Rossen Stoyanchev made changes -
          Security Contributors and Reporter [ 10155 ] Public [ 10151 ]
          rstoya05-aop Rossen Stoyanchev made changes -
          Status Reopened [ 4 ] Resolved [ 5 ]
          Resolution Complete [ 8 ]
          rstoya05-aop Rossen Stoyanchev made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          juergen.hoeller Juergen Hoeller made changes -
          Link This issue is related to SPR-15797 [ SPR-15797 ]
          Transition Time In Source Status Execution Times Last Executer Last Execution Date
          Open Open Resolved Resolved
          13d 12h 40m 1 Rossen Stoyanchev 30/Jun/15 6:27 AM
          Closed Closed Reopened Reopened
          1h 1 Rossen Stoyanchev 30/Jun/15 11:42 AM
          Reopened Reopened Resolved Resolved
          14s 1 Rossen Stoyanchev 30/Jun/15 11:42 AM
          Resolved Resolved Closed Closed
          4h 13m 2 Rossen Stoyanchev 30/Jun/15 11:42 AM

            People

            • Assignee:
              rstoya05-aop Rossen Stoyanchev
              Reporter:
              making Toshiaki Maki
              Last updater:
              Juergen Hoeller
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Days since last comment:
                2 years, 29 weeks, 1 day ago