Multiple Vendor SOAP server array DoS
/////////////////////////////////////////////////////////////////////
//=====================>> Security Advisory <<=====================//
/////////////////////////////////////////////////////////////////////
---------------------------------------------------------------------
-----[ Multiple Vendor SOAP server array DoS
---------------------------------------------------------------------
--[ Author: Amit Klein, Sanctum inc. http://www.SanctumInc.com
--[ Release Date: March 15th, 2004 (the Ides of March...)
--[ Products:
* Macromedia ColdFusion/MX 6.0 and 6.1
* Macromedia ColdFusion/MX 6.0 and 6.1 J2EE (all editions)
* Macromedia JRun 4.0 (all editions)
* Sun Java System Application Server 7 Update 2 Upgrade and earlier
(formerly Sun ONE Application Server)
Note: Releases prior to Sun Java System Application Server 7.0 are
not affected.
* ... and probably other SOAP servers
--[ Severity: High
--[ Description
The problem occurs when a SOAP based web service expects an array of
objects as one of its arguments.
An attacker can send a malicious SOAP request (with regular size)
that incurs a denial of service condition on the SOAP server.
--[ Solution
* Macromedia products - please follow the instructions of MPSB04-04,
in the following URL:
http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html
(NOTE: the link is not operative at this moment. Will become live
probably later today)
* Sun Microsystems products - please follow the instructions of Sun
Alert #57517 in the following URL:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57517
(NOTE: the link is not operative at this moment. Will become live
probably later today)