Olaf Kummer

Jack in the Box: A Security Bug Story

May 23, 2018 / Olaf Kummer / TechTalk

Let me tell you the story of a security bug.

To harden our CMS against XXE attacks, we were implementing the procedures proposed by OWASP. This worked nicely for the deployed software but we ran into one case in which the XXE prevention simply did not seem to work when running a test. Fearing that the approach was somehow broken despite the reputable source, we did a root causes analysis. We found that the transformer factory was correctly configured to avoid inline DTDs and when creating a SAX parser internally it would also pass plausible security features to the parser. However, the parser did not understand the relevant security features, because it implemented an older JAXP version, in which other features had to be used for avoiding XXE attacks. The transformer factory on the other hand, expected a modern SAX parser to be generated, unaware that a JAXP plugin jar might replace the parser, but not the transformer factory implementation.

It turned out that the test was running in a JVM that also had a Xerces parser deployed. While we had forbidden Xerces as a Maven dependency for production code, we had not yet enforced that requirement for tests, too.

We were relieved to find that our Xerces-less production setup was not affected. However, we still contacted Oracle about the issue, who agreed to fix it as a defense in depth issue. After all, this is a pretty insidious bug. While the native XML handling of the JVM is generally preferred over Xerces these days, Xerces might be involuntarily introduced into a project as a transitive dependency. Tools like Maven make it so easy to add a handy new dependency that the full impact of such a change might be overlooked.

It was not a bug in the JDK, because you should not deploy an implementation of an old JAXP version in a JVM that needs a modern implementation. It was not a bug of Xerces, because Xerces never promised to implement the new JAXP standard. It was not a bug of the libraries that depended on Xerces, because they needed Xerces to do their work. It was a bug introduced by adding a dependency, but a bug that was extremely hard to foresee.

But still, I think we can learn a few things, all of them undoubtedly already learned again and again:

  • Be careful when adding dependencies. Something that isn’t there cannot break anything.
  • Before you add magic (such as an XML parser auto-detection), think about it twice.
  • If you change an API (such as the security feature flags of JAXP), try to stay compatible with the old API whenever possible.
  • If you find a problem, talk those who can fix it. They want to be convinced, but in general there is a great willingness to improve.
  • A little Jack-in-the-box may jump at you unexpectedly. Allow time to deal with it.

The good news: The patch is available in JDK 9.0.4 and in fact in the current patch releases for all relevant JDK versions.


Olaf Kummer

Olaf Kummer

Senior Software Engineer

Olaf Kummer is a Senior Software Engineer, employed with CoreMedia for most of the current millennium, focusing on servers, UIs and other components in between. On demand, he also acts as dev ops administrator, first-aider, all-knowing trash heap, security council and patent assistant. He sucks at tabletop soccer. Before joining CoreMedia, he worked as a research assistant at the department for Theoretical Computer Science of the University of Hamburg, specializing in concurrency theory and object-oriented Petri nets.

More posts

Recommended Read #2: Small is the New Big

The increasing presence of "microservices" is having a major impact on online retail, including the ability to influence engagement, loyalty, and sales. But what exactly are microservices and why do they matter? We share two must-read posts that explain.

Read More

Beating the Odds: Our Week at IBM Think

For CoreMedia, March means Vegas. Specifically the two major trade shows that take place there: Shoptalk and IBM Think. For our impressions of Shoptalk, see the post here. For impressions of IBM Think, read on! IBM Think, which took place March 19-22 in the Mandalay Bay Convention Center and MGM Grand Hotel in Las Vegas,...

Read More

Recommended Read #6: B2B eCommerce

The following articles shed some light on the ways I which a rapidly maturing B2B eCommerce market will evolve in the coming years as it incorporates more influences from B2C – including the adoption of greater personalization and more content-lead shopping experiences.

Read More

Post a comment

SIGN UP

Add your name and email address to sign up for our CoreMedia Blog and Industry Newsletter and we will keep you posted about upcoming events, product enhancements and news about CoreMedia.

We promise to keep your data safe and you can opt out at any time.