Project Zero: Gregor Samsa: Exploiting Java's XML Signature Verification

Earlier this year, I discovered a surprising attack surface hidden deep inside Java’s standard library: A custom JIT compiler processing untrusted XSLT programs, exposed to remote attackers during XML signature verification. This post discusses CVE-2022-34169, an integer truncation bug in this JIT compiler resulting in arbitrary code execution in many Java-based web applications and identity providers that support the SAML single-sign-on standard.

OpenJDK fixed the discussed issue in July 2022. The Apache BCEL project used by Xalan-J, the origin of the vulnerable code, released a patch in September 2022.

That is a really crazy exploit. So many levels of indirection.
#java #xml

https://googleprojectzero.blogspot.com/2022/11/gregor-samsa-exploiting-java-xml.html