JDK JAXP bugs
Cantor, Scott
cantor.2 at osu.edu
Wed Jul 20 13:30:33 EDT 2016
Looks like a couple of CVEs in the latest JDK patch involve the XML parser in Java and involve denial of service attacks, more or less similar (in impact, not specifics) to the constant stream of issues with the C++ parser. The IdP is likely vulnerable to both.
I'm just mentioning it because of course people aren't getting these from Oracle's older JDKs without paying, so you really need to either get to Java 8, pay, or use OpenJDK. My opinions about OpenJDK notwithstanding, obviously "supported" is better than "dead".
-- Scott
More information about the users
mailing list