VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 31, 2004· Updated Apr 16, 2026

CVE-2004-2244

CVE-2004-2244

Description

Oracle 9i AS and DB XML parser DoS via crafted DTD in SOAP messages, affecting multiple versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Oracle 9i AS and DB XML parser DoS via crafted DTD in SOAP messages, affecting multiple versions.

Vulnerability

The XML parser in Oracle 9i Application Server Release 2 (9.0.3.0, 9.0.3.1, 9.0.2.3 and earlier) and Release 1 (1.0.2.2, 1.0.2.2.2), and Database Server Release 2 (9.2.0.1 and later) is vulnerable to a denial-of-service attack. A remote attacker can send a SOAP message containing a crafted Document Type Definition (DTD) that causes excessive CPU and memory consumption [1].

Exploitation

An attacker requires network access to send a SOAP request to an affected Oracle server. No authentication is needed. The attack involves crafting a SOAP message with a malicious DTD, which the parser processes, leading to resource exhaustion [1].

Impact

Successful exploitation results in a denial-of-service condition, consuming CPU and memory resources, which can degrade or completely disrupt application availability [1].

Mitigation

Oracle released patches as part of its Critical Patch Update (CPU) process. Affected users should apply the appropriate patch for their version. The vulnerability is also listed in Secunia advisory SA10936 [1]. No workaround is documented.

References
  1. About Secunia Research | Flexera

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

15
  • Oracle Corporation/Application Server5 versions
    cpe:2.3:a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:oracle:application_server:1.0.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_server:1.0.2.2.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_server:9.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:application_server:9.0.3.1:*:*:*:*:*:*:*
    • (no CPE)range: 9.0.3.0, 9.0.3.1, 9.0.2.3 and earlier, 1.0.2.2, 1.0.2.2.2
  • Oracle Corporation/Oracle9i9 versions
    cpe:2.3:a:oracle:oracle9i:enterprise_9.0.1.4:*:*:*:*:*:*:*+ 8 more
    • cpe:2.3:a:oracle:oracle9i:enterprise_9.0.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:enterprise_9.2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:enterprise_9.2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:personal_9.0.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:personal_9.2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:personal_9.2.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:standard_9.0.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:standard_9.2.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:oracle:oracle9i:standard_9.2.0.2:*:*:*:*:*:*:*
  • Oracle Corporation/Database Serverllm-fuzzy
    Range: 9.2.0.1 and later

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.