///////////////////////////////////////////////////////////////////// //=====================>> Security Advisory <<=====================// /////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------- -----[ Multiple Vendor SOAP server array DoS ---------------------------------------------------------------------
--[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
--[ Release Date: March 15th, 2004 (the Ides of March...)
--[ Products: * Macromedia ColdFusion/MX 6.0 and 6.1
* Macromedia ColdFusion/MX 6.0 and 6.1 J2EE (all editions)
* Macromedia JRun 4.0 (all editions)
* Sun Java System Application Server 7 Update 2 Upgrade and earlier (formerly Sun ONE Application Server)
Note: Releases prior to Sun Java System Application Server 7.0 are not affected.
* ... and probably other SOAP servers
--[ Severity: High
--[ Description The problem occurs when a SOAP based web service expects an array of objects as one of its arguments. An attacker can send a malicious SOAP request (with regular size) that incurs a denial of service condition on the SOAP server.
--[ Solution * Macromedia products - please follow the instructions of MPSB04-04, in the following URL: http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html (NOTE: the link is not operative at this moment. Will become live probably later today)
* Sun Microsystems products - please follow the instructions of Sun Alert #57517 in the following URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57517 (NOTE: the link is not operative at this moment. Will become live probably later today)
