/////////////////////////////////////////////////////////////////////// ========================>> Security Advisory <<======================== /////////////////////////////////////////////////////////////////////// -------------------------------------------------------------------- Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD -------------------------------------------------------------------- => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ => Release date: 16/Dec/2002 => Vendor: Multiple vendors The following products were found to be vulnerable: - The Expat Developers Expat XML parser - Apache Group Xerces XML parser - IBM WebSphere - Sun Microsystems SunONE - Apache Group Apache Axis - Macromedia ColdFusion/MX (Professional, Enterprise, J2EE Editions released through October, 2002) - Macromedia JRun 4.0 - Sybase EAServer v4.1, v4.1.1, v4.1.2, v4.1.3 - BEA WebLogic Integration 2.1, 7.0 - BEA WebLogic Server/Express 6.0, 6.1, 7.0, 7.0.0.1 - HP (undisclosed list of products) - Other products from other vendors are known to be vulnerable too Where not explicitly stated, the versions affected are the latest ones (as of October 2002). All vendors mentioned were informed, directly or indirectly, by November 25th. => Severity: High => CVE candidate: Not assigned yet. => BugTraq ID assigned: 6363 (Macromedia products), 6378 (BEA products) => Summary: Using the DTD part of the XML document, it is possible to cause the XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in a denial of service condition. => Solution/Vendor response: Macromedia ColdFusion/MX: Macromedia has issued a bulletin regarding this problem, and links to product patches can be found therein: http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 Macromedia JRun: Macromedia has issued a bulletin regarding this problem, and links to product patches can be found therein: http://www.macromedia.com/v1/handlers/index.cfm?ID=23559 Sybase EAServer: Sybase has issued a bulletin regarding this problem, and links to product patches can be found therein: http://my.sybase.com/detail?id=1022856 BEA WebLogic Integration: BEA has issued a bulletin regarding this problem, and links to product patches can be found therein: http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm BEA WebLogic Server/Express: BEA has issued a bulletin regarding this problem, and links to product patches can be found therein: http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm HP Products: HP requested that the following text would appear in this advisory: ----------------------------------------------------- SOURCE: Hewlett-Packard Company Software Security Response Team HP SSRT case # SSRT2426 At the time of writing this document, HP is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. ----------------------------------------------------- => Workaround: If possible, disable DTD in the XML parser. This requires raw access to the XML parser API, which is usually impossible for Web Services applications. => Acknowledgements - Ory Segal from Sanctum, for his help in developing a generic exploit. - Tom Donovan and Stephen Dupre from Macromedia (and the rest of the Macromedia team) for their promptness and help with the interaction with other vendors.
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 18:25:09 PST