Olaf Kummer

Jack in the Box: A Security Bug Story

23. May 2018 / Olaf Kummer / TechTalk

Let me tell you the story of a security bug.

To harden our CMS against XXE attacks, we were implementing the procedures proposed by OWASP. This worked nicely for the deployed software but we ran into one case in which the XXE prevention simply did not seem to work when running a test. Fearing that the approach was somehow broken despite the reputable source, we did a root causes analysis. We found that the transformer factory was correctly configured to avoid inline DTDs and when creating a SAX parser internally it would also pass plausible security features to the parser. However, the parser did not understand the relevant security features, because it implemented an older JAXP version, in which other features had to be used for avoiding XXE attacks. The transformer factory on the other hand, expected a modern SAX parser to be generated, unaware that a JAXP plugin jar might replace the parser, but not the transformer factory implementation.

It turned out that the test was running in a JVM that also had a Xerces parser deployed. While we had forbidden Xerces as a Maven dependency for production code, we had not yet enforced that requirement for tests, too.

We were relieved to find that our Xerces-less production setup was not affected. However, we still contacted Oracle about the issue, who agreed to fix it as a defense in depth issue. After all, this is a pretty insidious bug. While the native XML handling of the JVM is generally preferred over Xerces these days, Xerces might be involuntarily introduced into a project as a transitive dependency. Tools like Maven make it so easy to add a handy new dependency that the full impact of such a change might be overlooked.

It was not a bug in the JDK, because you should not deploy an implementation of an old JAXP version in a JVM that needs a modern implementation. It was not a bug of Xerces, because Xerces never promised to implement the new JAXP standard. It was not a bug of the libraries that depended on Xerces, because they needed Xerces to do their work. It was a bug introduced by adding a dependency, but a bug that was extremely hard to foresee.

But still, I think we can learn a few things, all of them undoubtedly already learned again and again:

  • Be careful when adding dependencies. Something that isn’t there cannot break anything.
  • Before you add magic (such as an XML parser auto-detection), think about it twice.
  • If you change an API (such as the security feature flags of JAXP), try to stay compatible with the old API whenever possible.
  • If you find a problem, talk those who can fix it. They want to be convinced, but in general there is a great willingness to improve.
  • A little Jack-in-the-box may jump at you unexpectedly. Allow time to deal with it.

The good news: The patch is available in JDK 9.0.4 and in fact in the current patch releases for all relevant JDK versions.

Olaf Kummer

Olaf Kummer

Senior Software Engineer

Olaf Kummer is a Senior Software Engineer, employed with CoreMedia for most of the current millennium, focusing on servers, UIs and other components in between. On demand, he also acts as dev ops administrator, first-aider, all-knowing trash heap, security council and patent assistant. He sucks at tabletop soccer. Before joining CoreMedia, he worked as a research assistant at the department for Theoretical Computer Science of the University of Hamburg, specializing in concurrency theory and object-oriented Petri nets.

More posts

Integrating the Cloudinary Media Library

Talking to our customers, we see an increasing demand to create, compose and preview digital experiences with content from different repositories. With the Cloudinary integration in CoreMedia Studio Hub, editors can easily place assets into the omnichannel experience managed in CoreMedia.

Read More

Recommended Read: Retail Reimagined through AI

AI innovation is increasingly rapidly, with all kinds of implications for retail. We share two must-read posts about how data science is being applied to the retail lifecycle, and also some of the ethical questions around AI. Part of our Recommended Read series.

Read More

Mastering Mobile Commerce

As eCommerce moves from desktop to smartphone, retailers are struggling to make the transition. Consumers today now expect an engaging shopping experience on every device, from mobile apps to the latest wearable.

Read More

Post a comment


Add your name and email address to sign up for our CoreMedia Blog and Industry Newsletter and we will keep you posted about upcoming events, product enhancements and news about CoreMedia.

We promise to keep your data safe and you can opt out at any time.