Welcome!

Containers Expo Blog Authors: Pat Romanski, Elizabeth White, AppDynamics Blog, Liz McMillan, Roger Strukhoff

Related Topics: Containers Expo Blog, Industrial IoT

Containers Expo Blog: News Item

Multiple Critical Security Issues in XML Libraries

Codenomicon discovered the vulnerabilities in early 2009 as part of the development of a new product for XML testing

Codenomicon Ltd, a leading vendor of software security testing solutions, announced today that it has helped fix multiple critical flaws in popular XML libraries, including implementations from Sun Microsystems, Apache Software Foundation, and Python.

Codenomicon discovered the vulnerabilities in early 2009 as part of the development of a new product for XML testing. When XML libraries were subjected to tests, multiple vulnerabilities were quickly identified in parsing XML data. The vulnerabilities could be exploited by enticing a user to open a specifically crafted XML file, or by submitting malicious requests to web services that handle XML content. The impact of the discovered vulnerabilities varies from denial-of-service attacks to potential execution of malicious code on affected systems. After the vulnerabilities had been found, Codenomicon worked together with CERT-FI (Finnish National Computer Emergency Response Team) to coordinate the remediation of the found issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later time.

"XML implementations are ubiquitous - they are found in systems and services where one would not expect to find them," says Erka Koivunen, Head of CERT-FI. "For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems," Koivunen continues.

Codenomicon has been maintaining its lead in development of intelligent model-based fuzzing since 1996, when its founders were working in the widely-acclaimed Oulu University Secure Programming Group (OUSPG) PROTOS research project. Systematic fuzzing was first used to break ASCII/MIME contents in email clients and web services. Later, the same technique was applied to ASN.1 structures in such protocols as SNMP, LDAP and X.509. After Codenomicon was founded in 2001, its DEFENSICS product line has grown to cover over 150 common different network protocols and file formats, including wireless interfaces such as Bluetooth and WLAN. DEFENSICS for XML provides an added capability for testing common XML-based protocols and file formats more efficiently than before.

"We initially developed our XML fuzz tests as part of our TR-069 telecommunications protocol test suite, which was released already in January 2009," says Sami Petäjäsoja, Product Manager at Codenomicon. "However, the significance of our XML testing approach was immediately seen to go far beyond the initial set of protocols we were looking at," Petäjäsoja continues. "As XML forms the fundamental basis of many modern protocols and information systems, almost anything can be tested."

XML has come a long way from the days when it provided support for just a few applications and file formats. Today, XML is used in .NET, SOAP, VoIP, Web Services, industrial automation (SCADA) and even banking infrastructure. The new advancements in XML fuzzing have led to the discovery of vulnerabilities and defects in important applications that are deployed in business-critical environments.

XML fuzzing takes XML message structures and alters them in ways beyond imagination. Breaking encodings, repetition of tag elements, dropping tags and elements, using recursive structures, overflows or special characters, and many other techniques will easily corrupt communications. The result can be a Denial of Service (DoS) situation, corruption of data, or even a situation where hostile code can be executed on a vulnerable host.

Codenomicon will release its new testing solution, DEFENSICS for XML, commercially along with explaining more details about some of the XML vulnerabilities that were found at the Hacker Halted 2009 security conference in Miami, Florida, in September 2009.

More Stories By XML News Desk

The XML-Journal News Desk monitors the world of XML and SOA /Web services to present IT professionals with updates on technology advances and business trends, as well as new products and standards.

IoT & Smart Cities Stories
This month @nodexl announced that ServerlessSUMMIT & DevOpsSUMMIT own the world's top three most influential Kubernetes domains which are more influential than LinkedIn, Twitter, YouTube, Medium, Infoworld and Microsoft combined. NodeXL is a template for Microsoft® Excel® (2007, 2010, 2013 and 2016) on Windows (XP, Vista, 7, 8, 10) that lets you enter a network edge list into a workbook, click a button, see a network graph, and get a detailed summary report, all in the familiar environment of...
IT professionals are also embracing the reality of Serverless architectures, which are critical to developing and operating real-time applications and services. Serverless is particularly important as enterprises of all sizes develop and deploy Internet of Things (IoT) initiatives. Serverless and Kubernetes are great examples of continuous, rapid pace of change in enterprise IT. They also raise a number of critical issues and questions about employee training, development processes, and opera...
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
AI and machine learning disruption for Enterprises started happening in the areas such as IT operations management (ITOPs) and Cloud management and SaaS apps. In 2019 CIOs will see disruptive solutions for Cloud & Devops, AI/ML driven IT Ops and Cloud Ops. Customers want AI-driven multi-cloud operations for monitoring, detection, prevention of disruptions. Disruptions cause revenue loss, unhappy users, impacts brand reputation etc.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
Atmosera delivers modern cloud services that maximize the advantages of cloud-based infrastructures. Offering private, hybrid, and public cloud solutions, Atmosera works closely with customers to engineer, deploy, and operate cloud architectures with advanced services that deliver strategic business outcomes. Atmosera's expertise simplifies the process of cloud transformation and our 20+ years of experience managing complex IT environments provides our customers with the confidence and trust tha...
The Japan External Trade Organization (JETRO) is a non-profit organization that provides business support services to companies expanding to Japan. With the support of JETRO's dedicated staff, clients can incorporate their business; receive visa, immigration, and HR support; find dedicated office space; identify local government subsidies; get tailored market studies; and more.
At CloudEXPO Silicon Valley, June 24-26, 2019, Digital Transformation (DX) is a major focus with expanded DevOpsSUMMIT and FinTechEXPO programs within the DXWorldEXPO agenda. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term. A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throug...
As you know, enterprise IT conversation over the past year have often centered upon the open-source Kubernetes container orchestration system. In fact, Kubernetes has emerged as the key technology -- and even primary platform -- of cloud migrations for a wide variety of organizations. Kubernetes is critical to forward-looking enterprises that continue to push their IT infrastructures toward maximum functionality, scalability, and flexibility. As they do so, IT professionals are also embr...
In his general session at 19th Cloud Expo, Manish Dixit, VP of Product and Engineering at Dice, discussed how Dice leverages data insights and tools to help both tech professionals and recruiters better understand how skills relate to each other and which skills are in high demand using interactive visualizations and salary indicator tools to maximize earning potential. Manish Dixit is VP of Product and Engineering at Dice. As the leader of the Product, Engineering and Data Sciences team at D...