PQ70921: XML Parser Denial of Service attack using DTD for Application Server
 Downloadable files
 
Abstract
Denial of service can be caused by using the DTD part of an XML document. This can cause the WebSphere XML Parser to consume an excessive amount of CPU resources.
 
Download Description
This problem is a result of the XML4J version used with WebSphere Application Server. To resolve this problem, the WebSphere Application Server XML4J version was updated to 3.2.4. XML4J 3.2.4 contains a patch for the denial of service security vulnerability, and is also needed for SOAP.

Applying this iFix replaces the xerces.jar file in WebSphere.

IMPORTANT: PQ70921 is for version 5.0.0 only. This Fix is included in Fix Pack 1. Applying Fix Pack 1 instead of PQ70921 will correct this problem. It is recommended that customers install Fix Pack 1 or Fix Pack 2 instead of PQ70921.

Fix Pack 1 is available at
General/swg24004576.html

Fix Pack 2 is available at
General/swg24005012.html
 
Prerequisites
THE UPDATE INSTALLER IS REQUIRED TO INSTALL THIS FIX:
Install/swg24001908.html
 
 
Installation Instructions
See the readme.txt file for installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 2028
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ70921 8/18/2003 US English 1254745 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. calls only) or see the WebSphere Application Server Support Site
http://www.ibm.com/software/webservers/appserv/was/support/
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PQ70921
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Web Services (for example: SOAP or UDDI or WSGW or WSIF)
Operating system(s): Windows
Software version: 5.0
Software edition:
Reference #: 4005582
IBM Group: Software Group
Modified date: Aug 17, 2004