Researchers warn of XML library flaws
Open-source code used in a number of different devices by many public- and private-sector organisations is vulnerable to attack, the Finnish computer emergency response team has warned.
The flaws lie in extensible mark-up language (XML), the specification that underlies many code libraries, said the Finnish computer emergency response team (Cert-FI).
Finnish security firm Codenomicon discovered the problems by bombarding XML with unexpected inputs, a process called fuzzing. This led to Cert-FI warning in an advisory on Thursday that XML libraries were susceptible to denial-of-service attacks, and that multiple open-source software libraries were potentially vulnerable to hacking.
Affected sectors include banking, manufacturing, retail, healthcare, government and critical national infrastructure, said Codenomicon in a document explaining its fuzzing work.
Potential targets include servers and server applications, workstations and end-user applications, network devices, embedded systems and mobile devices, said the Cert-FI advisory. Affected libraries include Python libexpat, all versions of Apache Xerces, Sun JDK and JRE 6 Update 14 and earlier, and Sun JDK and JRE 5.0 Update 19 and earlier.
According to Cert-FI, the vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting the file to a server that handles XML content.
Sun said in an advisory that the XML problems in Java, which affect Windows, Solaris and Linux, were resolved in Java SE and Java SE for Business releases JDK and JRE 6 Update 15 or later, and JDK and JRE 5.0 Update 20 or later. There are no workarounds for the issue for older versions, said Sun.
Apache Xerces was revised at the beginning of June in response to the XML parsing flaws. The Python team is currently working on a fix, said the Cert-FI advisory.