[32812] in bugtraq
Multiple vendor SOAP server (XML parser) denial of service (DTD parameter
daemon@ATHENA.MIT.EDU (Amit Klein)
Thu Dec 11 14:40:49 2003
Message-ID: <3FD8B039.2000405@SanctumInc.com>
Date: Thu, 11 Dec 2003 19:58:17 +0200
From: Amit Klein <Amit.Klein@SanctumInc.com>
MIME-Version: 1.0
To: BugTraq@securityfocus.com, news@securiteam.com
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
///////////////////////////////////////////////////////////////////////////////
//==========================>> Security Advisory
<<==========================//
///////////////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------------------
-----[ Multiple vendor SOAP server (XML parser) denial of service
(DTD parameter entities)
--------------------------------------------------------------------------------
--[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
--[ Vendors alerted: August 28th, 2003
--[ Release Date: December 11th, 2003
--[ Product:
IBM WebSphere 5.0.0 (even when patched with "old" PQ70921)
Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1)
... And probably other products which use XML parsers
--[ Severity: High
--[ CVE: N/A
--[ Description
The DTD part of the XML document enables the document to define parameter
entities, which are used (only) inside the DTD as a shortname for repeating
DTD definitions. An attacker can send a specially crafted SOAP request,
which
makes use of parameter entities to inflict a denial of service condition on
the server. In some cases, the parser returns an out of memory error
after a long while.
In some other cases, the CPU load remains stable at 100% for as long as
the process
keeps running. Another effect is that memory (hundreds of megabytes) was
not freed
even when the CPU load dropped and a response was issued.
--[ Solution
IBM WebSPhere 5.0.0 - IBM has released a new version of PQ70921 Which
can be found in
http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ70921&uid=swg24005582
Apply the new patch PQ70921 (even if it was applied earlier).
Microsoft ASP.NET Web Services - Microsoft has released an update to the
.NET Framework.
It is documented in Knowledge Base article 826231, at the following URL:
http://support.microsoft.com/default.aspx?kbid=826231
