tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Larry Isaacs <Larry.Isa...@sas.com>
Subject RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
Date Wed, 09 Jan 2002 00:01:57 GMT
I find that isFile() returns false, at least for JDK 1.3.1 and JDK1.2.2.
I tried JDK1.1.8, but Tomcat 3.3.x wouldn't come up.  I get:
 
java.lang.ClassNotFoundException: org.apache.tomcat.startup.EmbededTomcat
        at org.apache.tomcat.util.compat.SimpleClassLoader.loadClass
 
My preference would be to build a solution on isFile() if it can be worked out.
I still need to investigate where the test might best be applied.
 
Larry
 
-----Original Message----- 
From: Bill Barker [mailto:wbarker@wilshire.com] 
Sent: Tue 1/8/2002 3:39 PM 
To: Tomcat Developers List 
Cc: 
Subject: Re: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

This may be too kludgy, but my quick test shows that "aux.ver" 
returns -11644473600000 for lastModified. 
 
Less kludgy would be to simply add a complete list of DOS devices to the 
"keywords" that are mangled. 

----- Original Message ----- 
From: "Larry Isaacs" <Larry.Isaacs@sas.com <mailto:Larry.Isaacs@sas.com> > 
To: "'Tomcat Developers List'" <tomcat-dev@jakarta.apache.org <mailto:tomcat-dev@jakarta.apache.org>
> 
Sent: Tuesday, January 08, 2002 12:06 PM 
Subject: RE: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
 
This also causes Tomcat 3.3 to hang a thread when it 
tries to read aux.ver.  Tomcat 3.2.4 doesn't appear 
to have a problem and reports a "not found" error. 
A quick test of Tomcat 4.0.1 returned a blank page 
without hanging. 
I'll investigate and prepare, if possible, a quick 
patch to Tomat 3.3 and make a proposal for a 
Tomcat 3.3.1 beta and release. 
Thanks for relaying this. 
Cheers, 
Larry 
> -----Original Message----- 
> From: Jon Scott Stevens [mailto:jon@latchkey.com] 
> Sent: Tuesday, January 08, 2002 2:36 PM 
> To: tomcat-dev 
> Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> 
> I'm curious how Tomcat deals with this issue. 
> 
> Oh yea. Yet another reason why JSP sucks. :-) 
> 
> -jon 
> 
> ------ Forwarded Message 
> From: Peter Gründl <pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk> > 
> Date: Tue, 8 Jan 2002 16:33:26 +0100 
> To: <bugtraq@securityfocus.com <mailto:bugtraq@securityfocus.com> > 
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service 
> 
> -------------------------------------------------------------------- 
> 
>            -=>Bea Weblogic DOS-device Denial of Service<=- 
>                       courtesy of KMPG Denmark 
> 
> BUG-ID: 2002003          Released: 8th Jan 2002 
> -------------------------------------------------------------------- 
> Problem: 
> ======== 
> A flaw in the way the Bea Weblogic server handles specific requests 
> containing DOS-devices can cause a Denial of Service situation, 
> where web requests are no longer being serviced. 
> 
> Vulnerable: 
> =========== 
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000 
> - Older releases and other pure java application servers could be 
>   vulnerable, but haven't been tested. 
> 
> Details: 
> ======== 
> When the Weblogic server receives a .jsp request, it invokes an 
> external compiler to deal with the .jsp ressource requested. The 
> server can be fooled into thinking you are requesting a valid .jsp 
> ressource by simply requesting a DOS-device (such as eg. aux) and 
> appending the .jsp extension to it (aux.jsp). The external compiler 
> is then invoked and due to the nature of the DOS-devices, this 
> working thread never finishes. 
> 
> The server can handle about a 10-11 working threads, so when this 
> number of active threads has been reached, the server will no 
> longer service any requests. Since both HTTP and HTTPS are handled 
> by the same module, both are crippled if one is attacked. 
> 
> Vendor URL: 
> =========== 
> You can visit the vendors webpage here: http://www.beasys.com <http://www.beasys.com>
 
> 
> Vendor response: 
> ================ 
> The vendor was contacted on the 6th of November, 2001. On the 15th 
> of November the vendor confirms that they have reproduced the issue 
> on Windows 2000 and Windows NT. The issue is assigned the bug id: 
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor 
> confirmed the release of the new service pack and that it included 
> the patch for this issue. 
> 
> Corrective action: 
> ================== 
> Upgrade to Service Pack 2, which can be downloaded here: 
> http://commerce.beasys.com <http://commerce.beasys.com>  
> 
> 
>    Author: Peter Gründl (pgrundl@kpmg.dk <mailto:pgrundl@kpmg.dk> ) 
> 
> -------------------------------------------------------------------- 
> KPMG is not responsible for the misuse of the information we provide 
> through our security advisories. These advisories are a service to 
> the professional security community. In no event shall KPMG be lia- 
> ble for any consequences whatsoever arising out of or in connection 
> with the use or spread of this information. 
> -------------------------------------------------------------------- 
> 
> ------ End of Forwarded Message 
> 
> 
> -- 
> To unsubscribe, e-mail: 
<mailto:tomcat-dev-unsubscribe@jakarta.apache.org <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> 
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org <mailto:tomcat-dev-help@jakarta.apache.org>
> 
-- 
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> 
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org <mailto:tomcat-dev-help@jakarta.apache.org>
> 
 

-- 
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> 
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org <mailto:tomcat-dev-help@jakarta.apache.org>
> 


Mime
View raw message