ASG
IBM
Zystems
Cressida
Icon
Netflexity
 
  MQSeries.net
Search  Search       Tech Exchange      Education      Certifications      Library      Info Center      SupportPacs      LinkedIn  Search  Search                                                                   FAQ  FAQ   Usergroups  Usergroups
 
Register  ::  Log in Log in to check your private messages
 
RSS Feed - WebSphere MQ Support RSS Feed - Message Broker Support

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Is it possible to disable XML internal entities?

Post new topic  Reply to topic
 Is it possible to disable XML internal entities? « View previous topic :: View next topic » 
Author Message
lfrestrepog
PostPosted: Tue Apr 28, 2020 5:03 am    Post subject: Is it possible to disable XML internal entities? Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

Hello, good day.

Is it possible to disable XML internal entities? Or maybe completely ignore inline DTD?

According to the knowledge center, inline DTD is read while parsing and entities are expanded (https://www.ibm.com/support/knowledgecenter/en/SSMKHH_10.0.0/com.ibm.etools.mft.doc/ad67050_.html). I made a few experiments to verify that schema validation works fine with XML entities (no surprise there), but our security team argues this is a vulnerability. Now, I don't think the risk is too high (external entities are disabled/ignored and the bus is accesible only to trusted applications), but perhaps a properly crafted XML document could lead to a denial of service, right?

Has anyone looked into this before? Is there any workaround available to address this vulnerability?

Any comment would be much appreciated. Thanks.

(Stay safe and wash your hands frequently!)
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
timber
PostPosted: Tue Apr 28, 2020 7:53 am    Post subject: Reply with quote

Grand Master

Joined: 25 Aug 2015
Posts: 1280

Quote:
perhaps a properly crafted XML document could lead to a denial of service, right?
It depends on how good your security gateway is and how well it is configured. IBM DataPower can automatically detect and reject any dangerous XML documents including (but not limited to) 'billion laughs' and similar XML bombs.
If the security team are concerned about that specific type of attack then they probably should also be concerned about a other, more serious types of attack. Because as you rightly said, IIB is only accessible to trusted applications and if somebody could send it an XML bomb then they could probably do a lot of other, more damaging stuff.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Apr 28, 2020 8:28 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

It's unusual in my experience to have IIB directly outward facing. You typically have it behind DataPower or similar perimeter defense (as my worthy associate says), and often with an application layer in the mix somewhere.

Someone who can deliver an XML bomb to IIB is a dangerous person to have in your estate.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
lfrestrepog
PostPosted: Tue Apr 28, 2020 1:51 pm    Post subject: Reply with quote

Novice

Joined: 08 Jul 2014
Posts: 22

Right, we do have Datapower for all external facing integrations, and some authentication mechanisms for internal endpoints.

Just wanted to make sure I didn't miss some configuration in the knowledge center.

Thanks for your replies. Regards.
_________________
--
Luis Fernando Restrepo Gutiérrez
Back to top
View user's profile Send private message
Krish318
PostPosted: Tue Aug 11, 2020 3:27 am    Post subject: Reply with quote

Newbie

Joined: 11 Aug 2020
Posts: 2

Hi All,

Even i am facing the same issue is there any solution to validate or restrict DTD in IIB? We dont want to allow DTD to be parsed. If any one is having solution please help to resolve this issue.
Back to top
View user's profile Send private message
Vitor
PostPosted: Tue Aug 11, 2020 6:33 am    Post subject: Reply with quote

Grand High Poobah

Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA

Krish318 wrote:
If any one is having solution please help to resolve this issue.


The same solution as outlined above - use a good security gateway between IIB and the outside world.
_________________
Honesty is the best policy.
Insanity is the best defence.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic  Reply to topic Page 1 of 1

MQSeries.net Forum Index » WebSphere Message Broker (ACE) Support » Is it possible to disable XML internal entities?
Jump to:  



You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Protected by Anti-Spam ACP
 
 


Theme by Dustin Baccetti
Powered by phpBB © 2001, 2002 phpBB Group

Copyright © MQSeries.net. All rights reserved.