header-mobile-bg

Jack in the Box: A Security Bug Story

Let me tell you the story of a security bug.

To harden our CMS against XXE attacks, we were implementing the procedures proposed by OWASP. This worked nicely for the deployed software but we ran into one case in which the XXE prevention simply did not seem to work when running a test. Fearing that the approach was somehow broken despite the reputable source, we did a root causes analysis. We found that the transformer factory was correctly configured to avoid inline DTDs and when creating a SAX parser internally it would also pass plausible security features to the parser. However, the parser did not understand the relevant security features, because it implemented an older JAXP version, in which other features had to be used for avoiding XXE attacks. The transformer factory on the other hand, expected a modern SAX parser to be generated, unaware that a JAXP plugin jar might replace the parser, but not the transformer factory implementation.

Let me tell you the story of a security bug.

To harden our CMS against XXE attacks, we were implementing the procedures proposed by OWASP. This worked nicely for the deployed software but we ran into one case in which the XXE prevention simply did not seem to work when running a test. Fearing that the approach was somehow broken despite the reputable source, we did a root causes analysis. We found that the transformer factory was correctly configured to avoid inline DTDs and when creating a SAX parser internally it would also pass plausible security features to the parser. However, the parser did not understand the relevant security features, because it implemented an older JAXP version, in which other features had to be used for avoiding XXE attacks. The transformer factory on the other hand, expected a modern SAX parser to be generated, unaware that a JAXP plugin jar might replace the parser, but not the transformer factory implementation.

It turned out that the test was running in a JVM that also had a Xerces parser deployed. While we had forbidden Xerces as a Maven dependency for production code, we had not yet enforced that requirement for tests, too.

We were relieved to find that our Xerces-less production setup was not affected. However, we still contacted Oracle about the issue, who agreed to fix it as a defense in depth issue. After all, this is a pretty insidious bug. While the native XML handling of the JVM is generally preferred over Xerces these days, Xerces might be involuntarily introduced into a project as a transitive dependency. Tools like Maven make it so easy to add a handy new dependency that the full impact of such a change might be overlooked.

It was not a bug in the JDK, because you should not deploy an implementation of an old JAXP version in a JVM that needs a modern implementation. It was not a bug of Xerces, because Xerces never promised to implement the new JAXP standard. It was not a bug of the libraries that depended on Xerces, because they needed Xerces to do their work. It was a bug introduced by adding a dependency, but a bug that was extremely hard to foresee.

But still, I think we can learn a few things, all of them undoubtedly already learned again and again:

  • Be careful when adding dependencies. Something that isn't there cannot break anything.
  • Before you add magic (such as an XML parser auto-detection), think about it twice.
  • If you change an API (such as the security feature flags of JAXP), try to stay compatible with the old API whenever possible.
  • If you find a problem, talk those who can fix it. They want to be convinced, but in general there is a great willingness to improve.
  • A little Jack-in-the-box may jump at you unexpectedly. Allow time to deal with it.

The good news: The patch is available in JDK 9.0.4 and in fact in the current patch releases for all relevant JDK versions.

Olaf Kummer

Olaf Kummer

Introducing In-Preview Editing for CoreMedia Content Cloud

Introducing In-Preview Editing for CoreMedia Content Cloud

Edit content directly in the preview with the In-Preview Editing Extension — no tab switching, no guesswork. Just fast, intuitive updates that...
Sebastian Buettner profile

Sebastian Büttner

LLMs changed the rules of search How to succeed in Generative Engine Optimization (GEO) with CoreMedia

LLMs changed the rules of search: How to succeed in Generative Engine Optimization (GEO) with CoreMedia

Search optimization isn’t about climbing rankings anymore. It is about being part of an AI-generated answer.
Digital accessibility is no longer optional_article

Digital accessibility is no longer optional: How the European Accessibility Act redefines inclusion

Starting in June 2025, the European Accessibility Act (EAA) will come into force across the European Union, setting minimum accessibility...
Mariana Gaspar

Mariana Gaspar

Soeren presentation at connect 2025

Is your CX as smart as you think? Sören Stamer on leading the intelligent CX revolution

At CoreMedia Connect & Partner Engage 2025, CoreMedia’s CEO and Co-Founder Sören Stamer took the stage with a bold promise: to challenge...
Mariana Gaspar

Mariana Gaspar

Connect and Partner Engage 2025

The Intelligent CX Revolution: Highlights from Connect & Partner Engage 2025

On May 15, 2025, digital innovators, business leaders and strategic partners met at the Kehrwieder Theater in Hamburg for CoreMedia’s annual...
Mariana Gaspar

Mariana Gaspar

Customer profiles: How to build and use them for smarter personalization

Customer profiles: How to build and use them for smarter personalization

Why do some brand interactions feel effortless, like they were made just for you, while others fall flat? The answer often lies in how well a...
Mariana Gaspar

Mariana Gaspar

CoreMedia now

29 years of CoreMedia: A story of curiosity, code and (a little) chaos

From a tiny corner office with green floors and controversial furniture to powering digital experiences for the world’s leading brands.
Mariana Gaspar

Mariana Gaspar

Enhancing digital experiences with location-based personalization

Enhancing digital experiences with location-based personalization

People are tired of one-size-fits-all marketing. These days, they expect brands to know them and to understand what they like, need and care about.
Sebastian Buettner profile

Sebastian Büttner

CoreMedia Girls Day 2025 Feature

Empowering the next generation of women in tech: Celebrating Girls' Day at CoreMedia

Our Hamburg office was buzzing with energy because it was Girls' Day today! This nationwide event gives teenage girls the chance to discover...
white female barbara eigner

Barbara Eigner

The hidden costs of cloud dependence_Why your CMS hosting choice matters

The hidden costs of cloud dependence: Why your CMS hosting choice matters

Moving everything to the cloud has been advertised as a no-brainer for years. Many organizations have defaulted to hyperscalers, U.S. cloud...
Soeren Stamer ceo white male glasses

Sören Stamer