BugTraq
Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD Dec 16 2002 04:51PM
Amit Klein (Amit Klein SanctumInc com)
///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////

--------------------------------------------------------------------
Multiple vendors XML parser (and SOAP/WebServices server)
Denial of Service attack using DTD
--------------------------------------------------------------------

=> Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 16/Dec/2002

=> Vendor: Multiple vendors

The following products were found to be vulnerable:

- The Expat Developers Expat XML parser

- Apache Group Xerces XML parser

- IBM WebSphere

- Sun Microsystems SunONE

- Apache Group Apache Axis

- Macromedia ColdFusion/MX (Professional, Enterprise, J2EE
Editions released through October, 2002)

- Macromedia JRun 4.0

- Sybase EAServer v4.1, v4.1.1, v4.1.2, v4.1.3

- BEA WebLogic Integration 2.1, 7.0

- BEA WebLogic Server/Express 6.0, 6.1, 7.0, 7.0.0.1

- HP (undisclosed list of products)

- Other products from other vendors are known to be vulnerable too

Where not explicitly stated, the versions affected are the latest ones
(as of October 2002).

All vendors mentioned were informed, directly or indirectly, by November
25th.

=> Severity: High

=> CVE candidate: Not assigned yet.

=> BugTraq ID assigned: 6363 (Macromedia products), 6378 (BEA products)

=> Summary: Using the DTD part of the XML document, it is possible to
cause the
XML parser to consume 100% CPU and/or a lot of memory, therefore
resulting in
a denial of service condition.

=> Solution/Vendor response:

Macromedia ColdFusion/MX: Macromedia has issued a bulletin regarding
this problem,
and links to product patches can be found therein:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23559

Macromedia JRun: Macromedia has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23559

Sybase EAServer: Sybase has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://my.sybase.com/detail?id=1022856

BEA WebLogic Integration: BEA has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=ad
visoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvi
soriesnotifications%2FBEA02-23.htm

BEA WebLogic Server/Express: BEA has issued a bulletin regarding this
problem,
and links to product patches can be found therein:
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=ad
visoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvi
soriesnotifications%2FBEA02-23.htm

HP Products: HP requested that the following text would appear in this
advisory:
-----------------------------------------------------
SOURCE: Hewlett-Packard Company
Software Security Response Team

HP SSRT case # SSRT2426

At the time of writing this document, HP is
currently investigating the potential impact
to HP's released Operating System software products.

As further information becomes available HP will provide notice
of the availability of any necessary patches through
standard security bulletin announcements and be
available from your normal HP Services support channel.
-----------------------------------------------------

=> Workaround:

If possible, disable DTD in the XML parser. This requires raw access to
the XML
parser API, which is usually impossible for Web Services applications.

=> Acknowledgements

- Ory Segal from Sanctum, for his help in developing a generic exploit.

- Tom Donovan and Stephen Dupre from Macromedia (and the rest of the
Macromedia team)
for their promptness and help with the interaction with other vendors.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus