Denial Of Service (DoS)

2020-04-1001:03:01

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

jbossws-common is vulnerable to denial of service (DoS). The vulnerability exists as it was found that JBoss Web Services Native did not properly protect against recursive entity resolution when processing Document Type Definitions (DTD). A remote attacker could exploit this flaw by sending a specially-crafted HTTP POST request to a deployed web service, causing excessive CPU and memory consumption on the system hosting that service. If the attack is repeated to consume all available network sockets, the server will become unavailable. This flaw did not affect systems using JBoss Web Services CXF.

CPENameOperatorVersion
jbossws-commoneq1.1.0__3.SP7.1.ep5.el6
jbossws-commoneq1.1.0__3.SP7.1.ep5.el4
jbossws-commoneq1.1.0__3.SP7.1.ep5.el5
jbossaseq4.0.4__1.el4s1.25
jbossaseq4.0.4__1.el4s1.20
jbossaseq4.0.5__2.CP04.el4s1.2
jbossaseq4.2.0__3.GA_CP02.ep1.3.el4
jbossaseq4.2.0__1.ep1.9.el5
jbossaseq4.2.0__2.CP01.ep1.3.el5
jbossaseq4.2.0__4.GA_CP02.ep1.3.el5.3

Name	Operator	Version
jbossws-common	eq	1.1.0__3.SP7.1.ep5.el6
jbossws-common	eq	1.1.0__3.SP7.1.ep5.el4
jbossws-common	eq	1.1.0__3.SP7.1.ep5.el5
jbossas	eq	4.0.4__1.el4s1.25
jbossas	eq	4.0.4__1.el4s1.20
jbossas	eq	4.0.5__2.CP04.el4s1.2
jbossas	eq	4.2.0__3.GA_CP02.ep1.3.el4
jbossas	eq	4.2.0__1.ep1.9.el5
jbossas	eq	4.2.0__2.CP01.ep1.3.el5
jbossas	eq	4.2.0__4.GA_CP02.ep1.3.el5.3