PQ69451, 4.0.x :XML Parser Denial of service attack using DTD
 Downloadable files
 
Abstract
Denial Of Services through using the DTD part of and XML document, which the WebSphere® XML parser can consume 100% of CPU resources.
 
Download Description
PQ69451 resolves the following problems:

ERROR DESCRIPTION:
CMVC Defect : 155616 WebSphere Application Server V4.0 all supported platforms Denial of service through using the DTD part of an XML document, which the WebSphere XML parser can consume 100% of CPU resources Denial Service DTD XML Parser 100% CPU.

USERS AFFECTED:
All users of XERCES supplied by WebSphere Application Server

PROBLEM DESCRIPTION:
Denial of Service caused by using the DTD part of an XML document where the WebSphere XML parser can consume 100% of CMP resources

RECOMMENDATION:
This problem is a result of the XML4J version that is used with WebSphere Application Server. To resolve this problem, the WebSphere Application Server 40X XML4J version was updated to 3.2.4. XML4J 3.2.4 contains a patch for the denial of service security attack and is also needed for SOAP.

PROBLEM CONCLUSION:
Replaced xerces.jar to correct this problem.

TEMPORARY FIX:
Efix placed on pq99999 site. Name is pq69451.jar
 
Prerequisites
None
 
 
Installation instructions
Please refer to the readme for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 2126
 
Download package
What is DD?
DOWNLOAD RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PQ69451_eFix_AEsServer_AEServer.jar 1/7/2003 US English 1714646 FTP DD
 
Technical support
800-IBM-SERV U.S. Only
 
Problems (APARs) fixed
PQ69451
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server > Security
Operating system(s): HP-UX
Software version: 4.0.5
Software edition:
Reference #: 4003729
IBM Group: Software Group
Modified date: Apr 3, 2005