tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
Date Wed, 09 Jan 2002 00:43:43 GMT
1.3.0_01 returns true for isFile on my Win-NT box.

I've attached the program I've been running (so as to avoid having to load
all of Tomcat.
----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Tuesday, January 08, 2002 4:01 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service


I find that isFile() returns false, at least for JDK 1.3.1 and JDK1.2.2.
I tried JDK1.1.8, but Tomcat 3.3.x wouldn't come up.  I get:

java.lang.ClassNotFoundException: org.apache.tomcat.startup.EmbededTomcat
        at org.apache.tomcat.util.compat.SimpleClassLoader.loadClass

My preference would be to build a solution on isFile() if it can be worked
out.
I still need to investigate where the test might best be applied.

Larry

-----Original Message-----
From: Bill Barker [mailto:wbarker@wilshire.com]
Sent: Tue 1/8/2002 3:39 PM
To: Tomcat Developers List
Cc:
Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

This may be too kludgy, but my quick test shows that "aux.ver"
returns -11644473600000 for lastModified.

Less kludgy would be to simply add a complete list of DOS devices to the
"keywords" that are mangled.

----- Original Message -----
From: "Larry Isaacs" <Larry.Isaacs@sas.com <mailto:Larry.Isaacs@sas.com> >
To: "'Tomcat Developers List'" <tomcat-dev@jakarta.apache.org
<mailto:tomcat-dev@jakarta.apache.org> >
Sent: Tuesday, January 08, 2002 12:06 PM
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

This also causes Tomcat 3.3 to hang a thread when it
tries to read aux.ver.  Tomcat 3.2.4 doesn't appear
to have a problem and reports a "not found" error.
A quick test of Tomcat 4.0.1 returned a blank page
without hanging.
I'll investigate and prepare, if possible, a quick
patch to Tomat 3.3 and make a proposal for a
Tomcat 3.3.1 beta and release.
Thanks for relaying this.
Cheers,
Larry
> -----Original Message-----
> From: Jon Scott Stevens [mailto:jon@latchkey.com]
> Sent: Tuesday, January 08, 2002 2:36 PM
> To: tomcat-dev
> Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
>
> I'm curious how Tomcat deals with this issue.
>
> Oh yea. Yet another reason why JSP sucks. :-)
>
> -jon
>
> ------ Forwarded Message
> From: Peter Gründl <pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk> >
> Date: Tue, 8 Jan 2002 16:33:26 +0100
> To: <bugtraq@securityfocus.com <mailto:bugtraq@securityfocus.com> >
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
>
> --------------------------------------------------------------------
>
>            -=>Bea Weblogic DOS-device Denial of Service<=-
>                       courtesy of KMPG Denmark
>
> BUG-ID: 2002003          Released: 8th Jan 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in the way the Bea Weblogic server handles specific requests
> containing DOS-devices can cause a Denial of Service situation,
> where web requests are no longer being serviced.
>
> Vulnerable:
> ===========
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
> - Older releases and other pure java application servers could be
>   vulnerable, but haven't been tested.
>
> Details:
> ========
> When the Weblogic server receives a .jsp request, it invokes an
> external compiler to deal with the .jsp ressource requested. The
> server can be fooled into thinking you are requesting a valid .jsp
> ressource by simply requesting a DOS-device (such as eg. aux) and
> appending the .jsp extension to it (aux.jsp). The external compiler
> is then invoked and due to the nature of the DOS-devices, this
> working thread never finishes.
>
> The server can handle about a 10-11 working threads, so when this
> number of active threads has been reached, the server will no
> longer service any requests. Since both HTTP and HTTPS are handled
> by the same module, both are crippled if one is attacked.
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.beasys.com
<http://www.beasys.com>
>
> Vendor response:
> ================
> The vendor was contacted on the 6th of November, 2001. On the 15th
> of November the vendor confirms that they have reproduced the issue
> on Windows 2000 and Windows NT. The issue is assigned the bug id:
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor
> confirmed the release of the new service pack and that it included
> the patch for this issue.
>
> Corrective action:
> ==================
> Upgrade to Service Pack 2, which can be downloaded here:
> http://commerce.beasys.com <http://commerce.beasys.com>
>
>
>    Author: Peter Gründl (pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk> )
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
> ------ End of Forwarded Message
>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> >
--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> >


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org> >
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org
<mailto:tomcat-dev-help@jakarta.apache.org> >




----------------------------------------------------------------------------
----


> --
> To unsubscribe, e-mail:
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-dev-help@jakarta.apache.org>

Mime
View raw message