Sun JRE / JDK bug introduces XXE possibilities

["Chris Evans" <scarybeasts () gmail com>]

Hi,

Now that Sun has fixed this in JDK6u4, I thought this might be of
interest to people:

http://scarybeastsecurity.blogspot.com/

Essentially, one common XXE protection method was broken in the
default XML parser, in JDK6.

In particular, I'm worried about web services (and other server-side
XML accepting technologies) deployed under JDK6. I haven't had time to
look into common web service frameworks and see how they implement XXE
protection. Might be interesting to look into specific technologies
that broke.

Cheers
Chris