Environment
NetIQ Access Manager 4.1
Situation
The following URL on the Identity Server "/nidp/service/IDSISCredentialProfile?wsdl" is open for everyone to discover. This file simply describes the web service interface that is used by the IDP/AGs for updating credential profile info. Although very few people use this outside of the Access Gateway, it is possible to upload a large file to this interface, and causes a stack dump. Repeating the exercise 1000s of time could generate
POST /nidp/services/IDSISCredentialProfile HTTP/1.1 Host: federation.novell.com Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" [...] <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:urn="urn:novell:credentialprofile:2005-03"> <soapenv:Header/> <soapenv:Body> <urn:Queryxsi:type="xsd:anyType"><E>x</E></urn:Query> </soapenv:Body> </soapenv:Envelope> HTTP/1.1 500 Internal Server Error Server: Apache-Coyote/1.1 [...] <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance">< soapenv:Body><soapenv:Fault><faultcode>soapenv:Server.generalException</fault code><faultstring>java.lang.OutOfMemoryError: Java heap space; nested exception is: java.lang.OutOfMemoryError: Java heap space</faultstring><detail><ns1:hostname xmlns:ns1="http://xml.apache.org/axis/">neilidp4.lab.novell.com</ns1:hostname></detail></soapenv:Fault></soapenv:Body></soapenv:Envelope>
Resolution
Fixed in NAM 4.2.
On 4.1, could use a tomcat filter to detect the above URL and if not from a recognised host, drop the request or redirect to another page.
On 4.1, could use a tomcat filter to detect the above URL and if not from a recognised host, drop the request or redirect to another page.