Project Zero: Gregor Samsa: Exploiting Java's XML Signature Verification
Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.
OpenJDK fixed the discussed issue in July 2022. The Apache BCEL project used by Xalan-J, the origin of the vulnerable code, released a patch in September 2022.
That is a really crazy exploit. So many levels of indirection.
#java #xml
https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java-xml.html
There are no comments yet.