Bugtraq mailing list archives
Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities)
From: Amit Klein <Amit.Klein () SanctumInc com>
Date: Thu, 11 Dec 2003 19:58:17 +0200
/////////////////////////////////////////////////////////////////////////////////==========================>> Security Advisory <<==========================//
/////////////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------------------- -----[ Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities) -------------------------------------------------------------------------------- --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com --[ Vendors alerted: August 28th, 2003 --[ Release Date: December 11th, 2003 --[ Product: IBM WebSphere 5.0.0 (even when patched with "old" PQ70921) Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1) ... And probably other products which use XML parsers --[ Severity: High --[ CVE: N/A --[ Description The DTD part of the XML document enables the document to define parameter entities, which are used (only) inside the DTD as a shortname for repeatingDTD definitions. An attacker can send a specially crafted SOAP request, which
makes use of parameter entities to inflict a denial of service condition onthe server. In some cases, the parser returns an out of memory error after a long while. In some other cases, the CPU load remains stable at 100% for as long as the process keeps running. Another effect is that memory (hundreds of megabytes) was not freed
even when the CPU load dropped and a response was issued. --[ SolutionIBM WebSPhere 5.0.0 - IBM has released a new version of PQ70921 Which can be found in
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ70921&uid=swg24005582 Apply the new patch PQ70921 (even if it was applied earlier).Microsoft ASP.NET Web Services - Microsoft has released an update to the .NET Framework.
It is documented in Knowledge Base article 826231, at the following URL: http://support.microsoft.com/default.aspx?kbid=826231
Current thread:
- Multiple vendor SOAP server (XML parser) denial of service (DTD parameter entities) Amit Klein (Dec 11)