SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Xerces Vendors:   Apache Software Foundation
Xerces XML Parser Bug in Handling DTDs May Let Users Cause Denial of Service Conditions
SecurityTracker Alert ID:  1005817
SecurityTracker URL:  http://securitytracker.com/id/1005817
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 19 2005
Original Entry Date:  Dec 16 2002
Impact:   Denial of service via local system, Denial of service via network


Description:   A vulnerability was reported in the Apache Xerces XML parser. A user may be able to cause an application that uses this parser to consume excessive CPU or memory resources.

A user can create a malformed Document Type Definition (DTD) to cause the XML parser to consume all available CPU and/or memory resources, denying service to other users. The specific impact of the vulnerability depends on the application using the Xerces parser.

Sanctum reported this vulnerability.

Impact:   A user can cause the Xerces parser to consume excessive CPU resources or memory resources, denying service to other users.
Solution:   No solution was available at the time of the original entry.
Vendor URL:  xml.apache.org/ (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vendors XML parser (and SOAP/WebServices server) Denial


///////////////////////////////////////////////////////////////////////
========================>> Security Advisory <<========================
///////////////////////////////////////////////////////////////////////


--------------------------------------------------------------------
Multiple vendors XML parser (and SOAP/WebServices server)
Denial of Service attack using DTD
--------------------------------------------------------------------

=> Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/

=> Release date: 16/Dec/2002

=> Vendor: Multiple vendors

The following products were found to be vulnerable:

  - The Expat Developers Expat XML parser

  - Apache Group Xerces XML parser

  - IBM WebSphere

  - Sun Microsystems SunONE

  - Apache Group Apache Axis

  - Macromedia ColdFusion/MX (Professional, Enterprise, J2EE
                              Editions released through October, 2002)
 
  - Macromedia JRun 4.0
 
  - Sybase EAServer v4.1, v4.1.1, v4.1.2, v4.1.3
 
  - BEA WebLogic Integration 2.1, 7.0
 
  - BEA WebLogic Server/Express 6.0, 6.1, 7.0, 7.0.0.1
 
  - HP (undisclosed list of products)
 
  - Other products from other vendors are known to be vulnerable too

Where not explicitly stated, the versions affected are the latest ones
(as of October 2002).

All vendors mentioned were informed, directly or indirectly, by November 
25th.

=> Severity: High

=> CVE candidate: Not assigned yet.

=> BugTraq ID assigned: 6363 (Macromedia products), 6378 (BEA products)

=> Summary: Using the DTD part of the XML document, it is possible to 
cause the
XML parser to consume 100% CPU and/or a lot of memory, therefore 
resulting in
a denial of service condition.

=> Solution/Vendor response:

Macromedia ColdFusion/MX: Macromedia has issued a bulletin regarding 
this problem,
and links to product patches can be found therein:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23559
              
Macromedia JRun: Macromedia has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23559

Sybase EAServer: Sybase has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://my.sybase.com/detail?id=1022856

BEA WebLogic Integration: BEA has issued a bulletin regarding this problem,
and links to product patches can be found therein:
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm

BEA WebLogic Server/Express: BEA has issued a bulletin regarding this 
problem,
and links to product patches can be found therein:
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2FBEA02-23.htm

HP Products: HP requested that the following text would appear in this 
advisory:
  -----------------------------------------------------
SOURCE:  Hewlett-Packard Company
         Software Security Response Team

HP SSRT case # SSRT2426

At the time of writing this document, HP is
currently investigating the potential impact
to HP's released Operating System software products.

As further information becomes available HP will provide notice
of the availability of any necessary patches through
standard security bulletin announcements and be
available from your normal HP Services support channel.
  -----------------------------------------------------
 
 => Workaround:

If possible, disable DTD in the XML parser. This requires raw access to 
the XML
parser API, which is usually impossible for Web Services applications.

=> Acknowledgements

- Ory Segal from Sanctum, for his help in developing a generic exploit.

- Tom Donovan and Stephen Dupre from Macromedia (and the rest of the 
Macromedia team)
for their promptness and help with the interaction with other vendors.




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC