Oracle9i Database and Application Server SOAP DTD Denial of Service
SECUNIA ADVISORY ID:
SA10936
VERIFY ADVISORY:
http://secunia.com/advisories/10936/
CRITICAL:
Moderately critical
IMPACT:
DoS
WHERE:
From remote
SOFTWARE:
Oracle9i Database Standard Edition
Oracle9i Database Enterprise Edition
Oracle9i Application Server
DESCRIPTION:
Amit Klein has identified a vulnerability in Oracle9i Database and Application Server, allowing malicious people to cause a Denial of Service.
The vulnerability is caused due to an error in the XML parser when parsing the DTD (Document Type Definition) part of XML documents.
This can be exploited on SOAP enabled servers by sending a specially crafted SOAP request, which causes a vulnerable SOAP server to consume all CPU resources for a longer period of time as well as large amounts of memory.
The following versions are affected:
Oracle9i Application Server Release 2, version 9.0.3.0 and 9.0.3.1 Oracle9i Application Server Release 2, version 9.0.2.1 and earlier Oracle9i Application Server Release 1, version 1.0.2.2 Oracle9i Database Server Release 2, version 9.2.0.2 Oracle9i Database Server Release 1, version 9.0.1.4
SOLUTION:
Patches are available, see Metalink Document ID 259556.1:
http://metalink.oracle.com/
PROVIDED AND/OR DISCOVERED BY:
Amit Klein, Sanctum Inc.
ORIGINAL ADVISORY:
http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf
For further details and links please click here to see the actual Secunia Advisory: http://secunia.com/advisories/10936/