TUCoPS :: Web :: General :: sb5882.htm

XML parser API (and SOAP/WebServices server) DoS(?) using DTD
17th Dec 2002 [SBWID-5882]
COMMAND

	XML parser API (and SOAP/WebServices server) DoS(?) using DTD

SYSTEMS AFFECTED

	The following products were found to be vulnerable:
	
	  - The Expat Developers Expat XML parser
	
	  - Apache Group Xerces XML parser
	
	  - IBM WebSphere
	
	  - Sun Microsystems SunONE
	
	  - Apache Group Apache Axis
	
	  - Macromedia ColdFusion/MX (Professional, Enterprise, J2EE
	                              Editions released through October, 2002)
	 
	  - Macromedia JRun 4.0
	 
	  - Sybase EAServer v4.1, v4.1.1, v4.1.2, v4.1.3
	 
	  - BEA WebLogic Integration 2.1, 7.0
	 
	  - BEA WebLogic Server/Express 6.0, 6.1, 7.0, 7.0.0.1
	 
	  - HP (undisclosed list of products)
	 
	  - Other products from other vendors are known to be vulnerable too

PROBLEM

	Amit Klein and Ory Segal of Sanctum inc. [http://www.sanctuminc.com/] :
	
	Using the DTD part of the XML document, it is possible to cause the  XML
	parser to consume 100% CPU and/or a lot of memory,  therefore  resulting
	in a denial of service condition.
	
	- no more details were provided yet -

SOLUTION

	Macromedia ColdFusion/MX: Macromedia has  issued  a  bulletin  regarding
	this problem, and links to product patches can be found therein:
	
	 http://www.macromedia.com/v1/handlers/index.cfm?ID=23559
	              
	Macromedia  JRun:  Macromedia  has  issued  a  bulletin  regarding  this
	problem, and links to product patches can be found therein:
	
	 http://www.macromedia.com/v1/handlers/index.cfm?ID=23559
	
	Sybase EAServer: Sybase has issued a bulletin  regarding  this  problem,
	and links to product patches can be found therein:
	
	 http://my.sybase.com/detail?id=1022856
	
	BEA WebLogic Integration: BEA  has  issued  a  bulletin  regarding  this
	problem, and links to product patches can be found therein:
	
	http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm
	
	BEA WebLogic Server/Express: BEA has issued a  bulletin  regarding  this
	problem, and links to product patches can be found therein:
	
	http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm
	
	HP Products: HP requested that the following text would appear  in  this
	advisory:
	
	  -----------------------------------------------------
	SOURCE:  Hewlett-Packard Company
	         Software Security Response Team
	
	HP SSRT case # SSRT2426
	
	At the time of writing this document, HP is
	currently investigating the potential impact
	to HP's released Operating System software products.
	
	As further information becomes available HP will provide notice
	of the availability of any necessary patches through
	standard security bulletin announcements and be
	available from your normal HP Services support channel.
	  -----------------------------------------------------
	
	
	 Workaround:
	 ===========
	
	If possible, disable DTD in the XML parser. This requires raw access  to
	the XML parser  API,  which  is  usually  impossible  for  Web  Services
	applications.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH