The Third Party Vulnerability Resolution Blog covers CVEs and patches in Systems product suite.

Sun Alert 231246 A Vulnerability in the Java Runtime Environment XML Parsing Code May Allow URL Resources to be Accessed

Guest Author
Product: Java 2 Platform, Standard Edition

The Java Runtime Environment (JRE) by default allows external entity references to be processed. To turn off processing of external entity references, sites can set the "external general entities" property to FALSE. This property is provided since it may be possible to leverage the processing of external entity references to access certain URL resources (such as some files and web pages) or create a Denial of Service (DoS) condition on the system running the JRE. A defect in the JRE allows external entity references to be processed even when the "external general entities" property is set to FALSE.

For this vulnerability to be exploited, a trusted application needs to process XML data that contains malicious content. This vulnerability cannot be exploited through an untrusted applet or untrusted Java Web Start application.

Sun acknowledges with thanks, Chris Evans and Johannes Henkel of the Google Security Team for bringing this issue to our attention.

State: Resolved
First released: 30-Jan-2008

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.