Bug 431416 - (CVE-2008-0628) CVE-2008-0628 java-1.6.0 default external entity processing
CVE-2008-0628 java-1.6.0 default external entity processing
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 443139
  Show dependency treegraph
Reported: 2008-02-04 06:40 EST by Marc Schoenefeld
Modified: 2013-04-12 01:01 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-12 01:01:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marc Schoenefeld 2008-02-04 06:40:09 EST
Sun describes a 1.6.0-only (1.4, 1.5 not affected) XML processing vulnerability
(insecure default) at
This bug may cause effects similar to CVE-2007-5461. 

Vendor Description:

The Java Runtime Environment (JRE) by default allows external entity references
to be processed. To turn off processing of external entity references, sites can
set the "external general entities" property to FALSE. This property is provided
since it may be possible to leverage the processing of external entity
references to access certain URL resources (such as some files and web pages) or
create a Denial of Service (DoS) condition on the system running the JRE. A
defect in the JRE allows external entity references to be processed even when
the "external general entities" property is set to FALSE.

For this vulnerability to be exploited, a trusted application needs to process
XML data that contains malicious content. This vulnerability cannot be exploited
through an untrusted applet or untrusted Java Web Start application.
Comment 1 Thomas Fitzsimmons 2008-02-05 16:14:56 EST
bugs.sun.com isn't showing me the cited bug report.  I've asked my Sun contact
how to map vulnerability fixes to OpenJDK commits.
Comment 2 Thomas Fitzsimmons 2008-02-05 17:19:31 EST
This bug does not affect IcedTea.  The OpenJDK release incorporated by the
current IcedTea releases contains the fix.

In general, Sun plans to implement a security update scheme whereby fixes are
applied and reported at the same time across all their JDK products including
OpenJDK.  When this plan is implemented it will be easier to map security fixes
to OpenJDK releases.  In the meantime, I'll ask my Sun contact about each one.
Comment 3 Tomas Hoger 2008-02-07 03:15:28 EST
See also:

Comment 7 Vincent Danen 2013-04-12 01:01:01 EDT
The list of fixed products with their respective errata is here:


Note You need to log in before you can comment on or make changes to this bug.