August 5th, 2009
Open-source XML-enabled application risk identified
Since XML is the foundation of all things SOA, any perceived security vulnerabilities need to be looked at very seriously.
At issue appear to be XML-enabled applications built in Python, the open source language. Network World’s Ellen Messmer surfaced an advisory, issued by Codenomicon, working in conjunction with the Computer Emergency Response Team in Finland (CERT-FI): “Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation, Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them.” Dave Chartier, CEO of Codenomicon, is quoted as saying “that application would be vulnerable and there are probably millions of these applications.”
“The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.”
Codenomicon’s press release on the security patch can be found here at their Website.
SOA opens up many vulnerabilities, since code is being shared across organizational boundaries. At the same time, SOA provides for enterprise security services that can help remedy the spotty and uneven approaches seen across many environments. But the bottom line is corporate culture and security awareness at many level. It always helps to be vigilant.
Joe McKendrick is an author and consultant with deep knowledge and insights regarding trends and developments in the technology industry. See his full profile and disclosure of his industry affiliations.
Subscribe to Service Oriented via Email alerts or RSS.
