tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
Date Tue, 08 Jan 2002 20:39:32 GMT
This may be too kludgy, but my quick test shows that "aux.ver"
returns -11644473600000 for lastModified.

Less kludgy would be to simply add a complete list of DOS devices to the
"keywords" that are mangled.
----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com>
To: "'Tomcat Developers List'" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, January 08, 2002 12:06 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service


This also causes Tomcat 3.3 to hang a thread when it
tries to read aux.ver.  Tomcat 3.2.4 doesn't appear
to have a problem and reports a "not found" error.
A quick test of Tomcat 4.0.1 returned a blank page
without hanging.

I'll investigate and prepare, if possible, a quick
patch to Tomat 3.3 and make a proposal for a
Tomcat 3.3.1 beta and release.

Thanks for relaying this.

Cheers,
Larry

> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com]
> Sent: Tuesday, January 08, 2002 2:36 PM
> To: tomcat-dev
> Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
>
> I'm curious how Tomcat deals with this issue.
>
> Oh yea. Yet another reason why JSP sucks. :-)
>
> -jon
>
> ------ Forwarded Message
> From: Peter Gründl <pgrundl@kpmg.dk>
> Date: Tue, 8 Jan 2002 16:33:26 +0100
> To: <bugtraq@securityfocus.com>
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
> --------------------------------------------------------------------
>
>            -=>Bea Weblogic DOS-device Denial of Service<=-
>                       courtesy of KMPG Denmark
>
> BUG-ID: 2002003          Released: 8th Jan 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in the way the Bea Weblogic server handles specific requests
> containing DOS-devices can cause a Denial of Service situation,
> where web requests are no longer being serviced.
>
> Vulnerable:
> ===========
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
> - Older releases and other pure java application servers could be
>   vulnerable, but haven't been tested.
>
> Details:
> ========
> When the Weblogic server receives a .jsp request, it invokes an
> external compiler to deal with the .jsp ressource requested. The
> server can be fooled into thinking you are requesting a valid .jsp
> ressource by simply requesting a DOS-device (such as eg. aux) and
> appending the .jsp extension to it (aux.jsp). The external compiler
> is then invoked and due to the nature of the DOS-devices, this
> working thread never finishes.
>
> The server can handle about a 10-11 working threads, so when this
> number of active threads has been reached, the server will no
> longer service any requests. Since both HTTP and HTTPS are handled
> by the same module, both are crippled if one is attacked.
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.beasys.com
>
> Vendor response:
> ================
> The vendor was contacted on the 6th of November, 2001. On the 15th
> of November the vendor confirms that they have reproduced the issue
> on Windows 2000 and Windows NT. The issue is assigned the bug id:
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor
> confirmed the release of the new service pack and that it included
> the patch for this issue.
>
> Corrective action:
> ==================
> Upgrade to Service Pack 2, which can be downloaded here:
> http://commerce.beasys.com
>
>
>    Author: Peter Gründl (pgrundl@kpmg.dk)
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
> ------ End of Forwarded Message
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message