CVE-2011-1483

Name of the Vulnerable Software and Affected Versions Red Hat JBoss Enterprise Application Platform versions 4.2.0.CP09 through 5.1.1 Red Hat JBoss Enterprise Portal Platform versions 4.3.CP06 through 5.1.1 Red Hat JBoss Enterprise SOA Platform versions 4.2.CP05 through 5.1.0 Red Hat JBoss Communications Platform versions 1.2.11 through 5.1.1 Red Hat JBoss Enterprise BRMS Platform version 5.1.0 Red Hat JBoss Enterprise Web Platform version 5.1.1

Description The issue is related to the handling of recursion during entity expansion in the DOMUtils.java file. This allows remote attackers to cause a denial of service by consuming memory and CPU via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references.

Recommendations For Red Hat JBoss Enterprise Application Platform versions 4.2.0.CP09 through 5.1.1, consider disabling the DOMUtils.java functionality until a patch is available. For Red Hat JBoss Enterprise Portal Platform versions 4.3.CP06 through 5.1.1, restrict access to the org.jboss.ws:jbossws-common module to minimize the risk of exploitation. For Red Hat JBoss Enterprise SOA Platform versions 4.2.CP05 through 5.1.0, avoid using the DOMUtils.java file in the affected API endpoint until the issue is resolved. For Red Hat JBoss Communications Platform versions 1.2.11 through 5.1.1, consider temporarily disabling the jbossws-common functionality to prevent exploitation. For Red Hat JBoss Enterprise BRMS Platform version 5.1.0 and Red Hat JBoss Enterprise Web Platform version 5.1.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.