XML external entity injection and XML injection
Description
This vulnerability affects multiple Adobe products that fail to properly validate and sanitize XML input, making them susceptible to XML External Entity (XXE) injection and XML injection attacks. XXE vulnerabilities occur when an XML parser is configured to process external entity references within XML documents, allowing attackers to manipulate the parser's behavior. These attacks can lead to unauthorized file disclosure, internal network reconnaissance through TCP port scanning, and Denial of Service (DoS) conditions via techniques such as recursive entity expansion (billion laughs attack) and attribute blowup attacks. Adobe has released security patches to address these vulnerabilities in affected Data Services versions.
Remediation
Apply the security patches released by Adobe for the affected products as referenced in the vendor security bulletins (APSB10-05). Disable XML external entity processing in all XML parsers used by the application. For Java applications using DocumentBuilderFactory, SAXParserFactory, or XMLInputFactory, explicitly disable external entity resolution:
// For DocumentBuilderFactory
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false);
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
dbf.setXIncludeAware(false);
dbf.setExpandEntityReferences(false);Implement input validation to reject XML documents containing DOCTYPE declarations or external entity references. Use less complex data formats such as JSON when XML is not strictly required. Conduct a security review of all XML parsing implementations across the application to ensure consistent secure configuration. Apply the principle of least privilege to application file system and network access to limit the impact of potential exploitation.