JAVA Toolkit
| home | contact

Home > Products > XML Security > XSECT > Security Advisory

News Menu

Latest News

Christmas Release


One day before Christmas we have released new versions of our SSL/TLS library iSaSiLk and our XML Security Toolkit IAIK-XSECT!

IAIK-JCE 5.60 and IAIK [CP]AdES 2.4 released!


IAIK-JCE 5.60 introduces a "subsidiary" provider as workaround for fixing a JDK JSSE MessageDigest Cloneable bug. IAIK [CP]AdES 2.4 fixes a bug in the AtsHashIndexv3 ASN.1 representation.


Our Clients

Security Advisory

On July 12th 2007 Bradly Hill from iSEC Partners ( ) published a command injection attack in the context of XML Signature and Encryption:

Brad Hill made a draft of his paper available to SIC/IAIK end of February 2007 (thanks to Brad), so that SIC/IAIK was able to develop countermeasures against this attack and release a patch version of its XML Security Toolkit XSECT end of March 2007. Immediately after this release IAIK informed all customers concerned. Now - after Brad Hill has officially published his paper - we can make our customer notification available to the public audience:

We have been informed about a critical attack regarding XLST processing. We examined the Xalan stylesheet processor in its default configuration and found that applications based on this library may be vulnerable to this attack, which may allow execution of arbitrary code. Versions 1.10 and higher of our XSECT library contain countermeasures to block this kind of attack in the context of XML Signature and Encryption. Please note that the problem is NOT located in the XSECT library. Any application that uses Xalan for stylesheet transformations may be affected. Besides the upgrade of XSECT, we highly recommend a review of any Xalan-based application.

On request, customers of the older IXSIL library can also get a maintenance release that contains similar countermeasures.

It is advisable to fix vulnerable applications as soon as possible. Inside stylesheet transformations, Apache Xalan supports certain non-standard extensions of the stylesheet language. The support for these extensions is enabled by default. Applications that use stylesheets from unknown sources may be vulnerable to this attack. An attacker who can trick an application to process a chosen stylesheet can execute arbitrary code with the rights of the application containing Xalan. Applications that create or verify XML signatures with stylesheet transformations in their references, e.g. to transform XML data into HTML text, can be susceptible. An attacker may send an XML signature to a service that automatically verifies the signature. During verification it may execute any included stylesheets. This stylesheet, however, can include arbitrary code that Apache Xalan will execute. Newer versions of Apache Xalan allow disabling these extension features as a countermeasure. XSECT version 1.10 disables these extensions in newer versions of Xalan and includes additional countermeasures for older versions of Xalan.


print    tip a friend
back to previous page back  |  top to the top of the page