IBM DataPower XI50 - More security problems

A colleague forwarded me this link which highlights what appears to be a severe memory limitation with the IBM DataPower XI50. It appears that the device is having trouble applying an XML digital signature to a 100MB XML file.

This brings back the issue of using knowledge of the complexities involved in XML digital signatures to execute a Denial of Service (DoS) attack. Using this information an attacker could search for a DataPower device currently performing XML signatures on much smaller documents and take down the box with a single large document. I guess you might say this post highlights not one, but two problems with IBM DataPower: (a) The fact that it can't handle digital signatures on large XML, and (b) The fact that this fact results in a potential DoS vulernability.

Posted by Blake Dournaee on 5:46 PM

5 comments:

Anonymous said...

This information is inaccurate.

Anonymous said...

Yep, and alarmist. Maybe he was speaking philosophically. If the service being discussed in the forum were not suffering from design problems and signatures were not being misused then there might be a problem, so in the purest sense of the Platonic forms, there is definitely a problem somewhere outside his cave. He can see its shadow.

electronic seal said...

Is it really true? I think that IBM might have worked out this till now.Can you tell that what was the actual reason that caused this issue.

Anonymous said...

Not sure if IBM has fixed this limitation or not, but generally I don't see the xi50 use case as being any different than any more primitive messaging system. The size of the messages should be kept small for routing/evaluation/etc but beefy payload should be passed in a shared store and the pointer to it passed in the ESB messages. See Claim Check pattern.

Followers

About Me

My photo
I have been working in the XML/SOA and security space for about 10 years. I currently work at Intel Corporation in their software group. I wrote the first book on XML Security and am a co-author of SOA Demystified from Intel Press. My interests are an eclectic mix of computing, security, business, technology and philosophy