Hi, this seems to be somehow related (at least the Java DoSes) to "Large number of entity expansions cause 100 % CPU resulting in DoS condition." (http://developer.java.sun.com/developer/bugParade/bugs/4791146.html) This bug is public since 12/2002, and fixed in JDK 1.4.1_03 according to Sun. Marc On Tue, 9 Dec 2003, Amit Klein wrote: > Date: Tue, 09 Dec 2003 18:48:48 +0200 > From: Amit Klein <Amit.Klein@SanctumInc.com> > To: bugtraq@securityfocus.com, news@securiteam.com > Subject: Multiple Vendor SOAP server (XML parser) attribute blowup DoS > > /////////////////////////////////////////////////////////////////////////////// > //==========================>> Security Advisory > <<==========================// > /////////////////////////////////////////////////////////////////////////////// > > -------------------------------------------------------------------------------- > -----[ Multiple Vendor SOAP server (XML parser) attribute blowup DoS > -------------------------------------------------------------------------------- > > --[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com > > --[ Vendors alerted: August 28th, 2003 > > --[ Release Date: December 9th, 2003 > > --[ Products: > > IBM WebSphere 5.0.0, 5.0.1, 5.0.2, 5.0.2.1 > > Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1) > > Macromedia ColdFusion MX 6.0, 6.1 > > Macromedia JRun 4 > > ... And probably other products which use XML parsers > > --[ Severity: High > > --[ CVE: N/A > > --[ Description > > An attacker can craft a malicious SOAP request, which uses XML > attributes in a way that > inflicts a denial of service condition on the target machine (SOAP server). > The result of this attack is that the XML parser consumes all the CPU > resources > for a long period of time (from seconds to minutes, depending on the > size of the payload). > In our experiments, we were able to send attacks (of few hunderd KBs) > that caused the target > machines to consume 100% CPU for several minutes. > > --[ Solution > > IBM WebSphere - Download and apply IBM patch PQ81278 from the following URL: > http://www-1.ibm.com/support/docview.wss?rs=180&context=SSEQTP&q=PQ81278&uid=swg24005943 > > Microsoft ASP.NET Web Services - Microsoft is aware of the issue, and > has documented > recommended practices for what customers should consider when exposing > Web service endpoints > in Knowledge Base Article 832878 > (http://support.microsoft.com/default.aspx?kbid=832878) > > Macromedia - please follow the instructions of MPSB03-07, in the > following URL: > http://www.macromedia.com/devnet/security/security_zone/mpsb03-07.html > > > > -- Never be afraid to try something new. Remember, amateurs built the ark; professionals built the Titanic. -- Anonymous Marc Schönefeld Dipl. Wirtsch.-Inf. / Software Developer
