Vulnerability In XML Libraries Discovered


Security researchers released details today about vulnerabilities in XML libraries from Sun Microsystems, Python and Apache

Researchers have uncovered numerous vulnerabilities in popular X M L libraries from Sun Microsystems, Python and the Apache Software Foundation.

The bugs were discovered by researchers at code testing firm Codenomicon in early 2009 while the company was developing a new product for testing X M L. When testing X M L libraries, evidence of multiple flaws in the parsing of X M L data popped up. The vulnerabilities could be exploited by tricking a user into opening a malicious X M L file or submitting malicious requests to Web services handling X M L content.

“We have not heard of anyone exploiting these flaws yet,” said Heikki Kortti, senior security specialist at Codenomicon.

According to Kortti, the company reported the flaws to CERT-FI, the Finnish national Computer Emergency Response Team, in February. After the vulnerabilities had been found, Codenomicon worked together with CERT-FI to coordinate the remediation of the issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later date. Information from Sun about fixing the issues can be found here.

The pervasiveness of X M L makes the flaws especially dangerous. The days when X M L provided support for just a few applications and file formats are long gone. Today, X M L is used in .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure, officials noted.

“X M L implementations are ubiquitous – they are found in systems and services where one would not expect to find them,” said Erka Koivunen, head of CERT-FI, in a statement. “For us it is crucial that end users and organisations who use the affected libraries upgrade to the new versions.”

Kortti advised developers worried their software leverages the affected libraries or who supplied the libraries in some form with their code to update and rebuild too.

“If their apps are using dynamic linking, it’s usually enough that the end user keeps their system up-to-date,” Kortti said. “With most modern OSes this is well taken care of.”

Codenomicon officials said they will release more details about some of the X M L vulnerabilities that were found at the Hacker Halted 2009 security conference in Miami , Florida , in September.