I presume Sun refers to http://www.securityfocus.com/archive/1/303509.
In this case,
the only commonality between the two issues is that they both result
from a problem in the
underlying XML parser, but the problems in the XML parser are
fundamentally different.
Thanks,
-Amit
Hi,
this seems to be somehow related (at least the Java DoSes) to
"Large number of entity expansions cause 100 % CPU resulting in DoS
condition."
This bug is public since 12/2002, and fixed in JDK 1.4.1_03 according
to Sun.
Marc
On Tue, 9 Dec 2003, Amit Klein wrote:
> Date: Tue, 09 Dec 2003 18:48:48 +0200
> From: Amit Klein <Amit.Klein (at) SanctumInc (dot) com [email concealed]>
> To: bugtraq (at) securityfocus (dot) com [email concealed], news (at) securiteam (dot) com [email concealed]
> Subject: Multiple Vendor SOAP server (XML parser) attribute
blowup DoS
>
>
////////////////////////////////////////////////////////////////////////
///////
> //==========================>> Security Advisory
> <<==========================//
>
////////////////////////////////////////////////////////////////////////
///////
>
>
------------------------------------------------------------------------
--------
> -----[ Multiple Vendor SOAP server (XML parser) attribute blowup DoS
>
------------------------------------------------------------------------
--------
>
> --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
>
> --[ Vendors alerted: August 28th, 2003
>
> --[ Release Date: December 9th, 2003
>
> --[ Products:
>
> IBM WebSphere 5.0.0, 5.0.1, 5.0.2, 5.0.2.1
>
> Microsoft ASP.NET Web Services (.NET framework 1.0, .NET
framework 1.1)
>
> Macromedia ColdFusion MX 6.0, 6.1
>
> Macromedia JRun 4
>
> ... And probably other products which use XML parsers
>
> --[ Severity: High
>
> --[ CVE: N/A
>
> --[ Description
>
> An attacker can craft a malicious SOAP request, which uses XML
> attributes in a way that
> inflicts a denial of service condition on the target machine
(SOAP server).
> The result of this attack is that the XML parser consumes all the CPU
> resources
> for a long period of time (from seconds to minutes, depending on the
> size of the payload).
> In our experiments, we were able to send attacks (of few hunderd KBs)
> that caused the target
> machines to consume 100% CPU for several minutes.
>
> --[ Solution
>
> IBM WebSphere - Download and apply IBM patch PQ81278 from the
following URL:
>
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278
&uid=swg24005943
>
> Microsoft ASP.NET Web Services - Microsoft is aware of the issue, and
> has documented
> recommended practices for what customers should consider when
exposing
> Web service endpoints
> in Knowledge Base Article 832878
> (http://support.microsoft.com/default.aspx?kbid=832878)
>
> Macromedia - please follow the instructions of MPSB03-07, in the
> following URL:
>
http://www.macromedia.com/devnet/security/security_zone/mpsb03-07.html
>
>
>
>
--
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer
Hi Marc,
I presume Sun refers to http://www.securityfocus.com/archive/1/303509.
In this case,
the only commonality between the two issues is that they both result
from a problem in the
underlying XML parser, but the problems in the XML parser are
fundamentally different.
Thanks,
-Amit
Hi,
this seems to be somehow related (at least the Java DoSes) to
"Large number of entity expansions cause 100 % CPU resulting in DoS
condition."
(http://developer.java.sun.com/developer/bugParade/bugs/4791146.html)
This bug is public since 12/2002, and fixed in JDK 1.4.1_03 according
to Sun.
Marc
On Tue, 9 Dec 2003, Amit Klein wrote:
> Date: Tue, 09 Dec 2003 18:48:48 +0200
> From: Amit Klein <Amit.Klein (at) SanctumInc (dot) com [email concealed]>
> To: bugtraq (at) securityfocus (dot) com [email concealed], news (at) securiteam (dot) com [email concealed]
> Subject: Multiple Vendor SOAP server (XML parser) attribute
blowup DoS
>
>
////////////////////////////////////////////////////////////////////////
///////
> //==========================>> Security Advisory
> <<==========================//
>
////////////////////////////////////////////////////////////////////////
///////
>
>
------------------------------------------------------------------------
--------
> -----[ Multiple Vendor SOAP server (XML parser) attribute blowup DoS
>
------------------------------------------------------------------------
--------
>
> --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
>
> --[ Vendors alerted: August 28th, 2003
>
> --[ Release Date: December 9th, 2003
>
> --[ Products:
>
> IBM WebSphere 5.0.0, 5.0.1, 5.0.2, 5.0.2.1
>
> Microsoft ASP.NET Web Services (.NET framework 1.0, .NET
framework 1.1)
>
> Macromedia ColdFusion MX 6.0, 6.1
>
> Macromedia JRun 4
>
> ... And probably other products which use XML parsers
>
> --[ Severity: High
>
> --[ CVE: N/A
>
> --[ Description
>
> An attacker can craft a malicious SOAP request, which uses XML
> attributes in a way that
> inflicts a denial of service condition on the target machine
(SOAP server).
> The result of this attack is that the XML parser consumes all the CPU
> resources
> for a long period of time (from seconds to minutes, depending on the
> size of the payload).
> In our experiments, we were able to send attacks (of few hunderd KBs)
> that caused the target
> machines to consume 100% CPU for several minutes.
>
> --[ Solution
>
> IBM WebSphere - Download and apply IBM patch PQ81278 from the
following URL:
>
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278
&uid=swg24005943
>
> Microsoft ASP.NET Web Services - Microsoft is aware of the issue, and
> has documented
> recommended practices for what customers should consider when
exposing
> Web service endpoints
> in Knowledge Base Article 832878
> (http://support.microsoft.com/default.aspx?kbid=832878)
>
> Macromedia - please follow the instructions of MPSB03-07, in the
> following URL:
>
http://www.macromedia.com/devnet/security/security_zone/mpsb03-07.html
>
>
>
>
--
Never be afraid to try something new. Remember, amateurs built the
ark; professionals built the Titanic. -- Anonymous
Marc Sch?nefeld Dipl. Wirtsch.-Inf. / Software Developer
[ reply ]