Red Hat Bugzilla – Bug 431416
CVE-2008-0628 java-1.6.0 default external entity processing
Last modified: 2013-04-12 01:01:01 EDT
Sun describes a 1.6.0-only (1.4, 1.5 not affected) XML processing vulnerability
(insecure default) at
This bug may cause effects similar to CVE-2007-5461.
The Java Runtime Environment (JRE) by default allows external entity references
to be processed. To turn off processing of external entity references, sites can
set the "external general entities" property to FALSE. This property is provided
since it may be possible to leverage the processing of external entity
references to access certain URL resources (such as some files and web pages) or
create a Denial of Service (DoS) condition on the system running the JRE. A
defect in the JRE allows external entity references to be processed even when
the "external general entities" property is set to FALSE.
For this vulnerability to be exploited, a trusted application needs to process
XML data that contains malicious content. This vulnerability cannot be exploited
through an untrusted applet or untrusted Java Web Start application.
bugs.sun.com isn't showing me the cited bug report. I've asked my Sun contact
how to map vulnerability fixes to OpenJDK commits.
This bug does not affect IcedTea. The OpenJDK release incorporated by the
current IcedTea releases contains the fix.
In general, Sun plans to implement a security update scheme whereby fixes are
applied and reported at the same time across all their JDK products including
OpenJDK. When this plan is implemented it will be easier to map security fixes
to OpenJDK releases. In the meantime, I'll ask my Sun contact about each one.
The list of fixed products with their respective errata is here: