December 15, eSecurity Planet
IBM and Microsoft have released fixes for a potentially serious vulnerability that could be exploited to trigger denial−of−service attacks. The companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1). According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. "This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources," the company warned.
IBM's security patch is available here:
http://www−1.ibm.com/support/docview.wss?rs=180&context=SSEQ TP&q=PQ709%2021&uid=swg24005582.
Microsoft confirmed the DTD error parsing vulnerability. In some cases, Microsoft recommended the rejection of XML messages that contain DTS, because of its limitations. The company said the SOAP 1.1 specification states that a SOAP message must not contain a DTD.
Microsoft's security patch is available here:
http://support.microsoft.com/default.aspx?kbid=826231.
Source: http://www.esecurityplanet.com/trends/article.php/3289191
IBM and Microsoft have released fixes for a potentially serious vulnerability that could be exploited to trigger denial−of−service attacks. The companies said the vulnerability was caused by an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents. Affected software include the IBM WebSphere 5.0.0 and Microsoft ASP.NET Web Services (.NET framework 1.0, .NET framework 1.1). According to IBM, the security patch fixes a flaw that could be exploited by sending a specially crafted SOAP request. "This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources," the company warned.
IBM's security patch is available here:
http://www−1.ibm.com/support/docview.wss?rs=180&context=SSEQ TP&q=PQ709%2021&uid=swg24005582.
Microsoft confirmed the DTD error parsing vulnerability. In some cases, Microsoft recommended the rejection of XML messages that contain DTS, because of its limitations. The company said the SOAP 1.1 specification states that a SOAP message must not contain a DTD.
Microsoft's security patch is available here:
http://support.microsoft.com/default.aspx?kbid=826231.
Source: http://www.esecurityplanet.com/trends/article.php/3289191