SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Adobe ColdFusion Vendors:   Macromedia
Macromedia ColdFusion SOAP Request Processing Bug Lets Remote Users Deny Service
SecurityTracker Alert ID:  1009431
SecurityTracker URL:  http://securitytracker.com/id/1009431
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 15 2004
Impact:   Denial of service via network
Vendor Confirmed:  Yes  
Version(s): 6.0, 6.1
Description:   A vulnerability was reported in the Macromedia ColdFusion Server in the processing of SOAP requests. A remote user can cause denial of service conditions on the target system.

Sanctum reported that a remote user can send a specially crafted SOAP request to cause denial of service conditions on the target SOAP server. If the request does not contain the expected array of objects as one of the arguments, the flaw can reportedly be triggered.

Impact:   A remote user can cause denial of service conditions on the target system.
Solution:   Macromedia will issue a fix shortly, to be described in security bulletin MPSB04-04 at:

http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html

Vendor URL:  www.macromedia.com/devnet/security/security_zone/mpsb04-04.html (Links to External Site)
Cause:   Exception handling error
Underlying OS:  Linux (Any), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 16 2004 (Vendor Issues Fix) Macromedia ColdFusion SOAP Request Processing Bug Lets Remote Users Deny Service
The vendor has issued a fix.



 Source Message Contents

Subject:  Multiple Vendor SOAP server array DoS


/////////////////////////////////////////////////////////////////////
//=====================>> Security Advisory <<=====================//
/////////////////////////////////////////////////////////////////////

---------------------------------------------------------------------
-----[ Multiple Vendor SOAP server array DoS
---------------------------------------------------------------------

--[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com

--[ Release Date: March 15th, 2004 (the Ides of March...)

--[ Products:
* Macromedia ColdFusion/MX 6.0 and 6.1

* Macromedia ColdFusion/MX 6.0 and 6.1 J2EE (all editions)

* Macromedia JRun 4.0 (all editions)

* Sun Java System Application Server 7 Update 2 Upgrade and earlier
  (formerly Sun ONE Application Server)
 
  Note: Releases prior to Sun Java System Application Server 7.0 are
  not affected.

* ... and probably other SOAP servers

--[ Severity: High

--[ Description
The problem occurs when a SOAP based web service expects an array of
objects as one of its arguments.
An attacker can send a malicious SOAP request (with regular size)
that incurs a denial of service condition on the SOAP server.

--[ Solution
* Macromedia products - please follow the instructions of MPSB04-04,
in the following URL:
http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html
(NOTE: the link is not operative at this moment. Will become live
probably later today)

* Sun Microsystems products - please follow the instructions of Sun
Alert #57517 in the following URL:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57517
(NOTE: the link is not operative at this moment. Will become live
probably later today)


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC