pseudo-flaw.net

A couple of days ago, I noted the latest Sun Java Runtime Environment (JRE) update and the apparent lack of security advisories. Today, I saw that one was in fact released shortly after I posted about it.

The following advisory was posted, A Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed, that describes a defect that allowed "external general entities" to be processed even when the processing had been disabled:

The Java Runtime Environment (JRE) by default allows external entity references to be processed. To turn off processing of external entity references, sites can set the "external general entities" property to FALSE. This property is provided since it may be possible to leverage the processing of external entity references to access certain URL resources (such as some files and web pages) or create a Denial of Service (DoS) condition on the system running the JRE. A defect in the JRE allows external entity references to be processed even when the "external general entities" property is set to FALSE.

The issue of external entity handling would mostly be a concern where one was accepting and parsing XML documents from untrusted sources. But given the prevalence of web-services that may rely on exchange of XML documents, this is probably a common situation. Anyone that was depending on feature being turned off is potentially at risk.

NOTE: By default, processing of external entities is turned ON.

The advisory states that to turn them off, the following feature should be set to false:

factory.setFeature("http://xml.org/sax/features/external-general-entities", false);

You can search for other disclosed JRE vulnerabilities on the Sun sites using the search: "Vulnerability Java Runtime Environment".