CERT-FI Advisory on XML Libraries

Several vulnerabilities regarding the parsing of XML data have been found in XML library implementations. The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution.

Some of the most popular open source XML libraries are found to be vulnerable. Please refer to http://www.cert.fi/en/reports/2009/vulnerability2009085.html for details of the vulnerabilities and a list of libraries affected.

XML Security in NetScaler

The NetScaler Application Firewall module includes an XML-aware engine that powers specific XML attack protections. In addition to protecting XML-based applications from attack, NetScaler ensures that incoming XML traffic conforms to the appropriate standards (e.g., XML syntax, schema, WSDL validation).

NetScaler XML Security features that protect against the above vulnerabilities include Format Checks and Denial of Service Prevention. Format Checks prevents malformed or not well-formed messages from reaching the server. Denial of Service Prevention thwarts attacks (like large elements, deeply nested messages, etc.) that attempt to exhaust server resources or exploit weakness in the xml parsers and applications on the server.

For a more comprehensive list of XML security features included in Netscaler, click here.