Vulnerability Management

Vulnerabilites hidden in XML libraries

XML libraries from organizations such as Sun, Apache and Python harbor vulnerabilities that could be exploited in applications based on them, according to a Finnish security firm.

The firm, Codenomicon, based in the city of Oulu, said it discovered the vulnerabilities in early 2009 as part of the development of an XML testing product, according to a news release issued Wednesday.

“If you were to wave a magic wand and eliminate from the world all communications that are encoded using XML-defined values, disaster would certainly strike on a scale far beyond any that the most pessimistic had described for possible effects of the Y2K computer bugs,” Codenomicon Labs division said on its site.

The Finnish National Computer Emergency Response Team (CERT-FI), which is working to coordinate remediation of the issue, said in an advisory that the vulnerabilities are related to parsing of XML elements that have unexpected byte values and recursive parentheses.

This can cause programs to access memory out of bounds or to loop indefinitely, according to the advisory. The effect of the vulnerabilities includes denial-of-service and potential code execution.

“The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content,” the advisory said.

Anything that uses XML could potentially be affected.

"XML implementations are ubiquitous -- they are found in systems and services where one would not expect to find them," said Erka Koivunen, head of CERT-FI.

Breaking the encoding, repetition of tags and elements, dropping of tags and elements, recursive structures, overflows, special characters, and many other hacks could corrupt XML parsing and XML-based protocol communications, according to Codenomicon Labs.

Sun, Apache, and Python have issued patches to address the problem, and others are expected to announce their fixes at a later date.

CERT-FI's advisory recommended that users patch vulnerable software components, as advised by their vendors, and also listed several platform-specific remediation measures.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.