The Java Runtime Environment (JRE) by default allows external entity references to be processed. To turn off processing of external entity references, sites can set the "external general entities" property to FALSE. This property is provided since it may be possible to leverage the processing of external entity references to access certain URL resources (such as some files and web pages) or create a Denial of Service (DoS) condition on the system running the JRE. A defect in the JRE allows external entity references to be processed even when the "external general entities" property is set to FALSE.
For this vulnerability to be exploited, a trusted application needs to process XML data that contains malicious content. This vulnerability cannot be exploited through an untrusted applet or untrusted Java Web Start application.
Sun acknowledges with thanks, Chris Evans and Johannes Henkel of the Google Security Team for bringing this issue to our attention.