Vigil@nce - Pivotal Spring Framework: memory overload via XML entities
July 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can make Pivotal Spring Framework use excessive amount
of memory, in order to trigger a denial of service.
Impacted products: Fedora
Severity: 1/4
Creation date: 01/07/2015
DESCRIPTION OF THE VULNERABILITY
The Pivotal Spring Framework product may process XML documents
externally originating.
Entity definitions found in the internal subset of the DTD are
taken into account by default. However, there is no limit to the
memory that may be allocated for a given document. So, one can
define entities the expansion of which will create huge string,
and will lead to processing failure. The resulting exception may
be caught, so this does not necessarily leads to application abort.
An attacker can therefore make Pivotal Spring Framework use
excessive amount of memory, in order to trigger a denial of
service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Pivotal-Spring-Framework-memory-overload-via-XML-entities-17283