OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundlkpmg.dk)
Date: Tue Jan 08 2002 - 09:33:26 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

               -=>Bea Weblogic DOS-device Denial of Service<=-
                          courtesy of KMPG Denmark

    BUG-ID: 2002003 Released: 8th Jan 2002
    --------------------------------------------------------------------
    Problem:
    ========
    A flaw in the way the Bea Weblogic server handles specific requests
    containing DOS-devices can cause a Denial of Service situation,
    where web requests are no longer being serviced.

    Vulnerable:
    ===========
    - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
    - Older releases and other pure java application servers could be
      vulnerable, but haven't been tested.

    Details:
    ========
    When the Weblogic server receives a .jsp request, it invokes an
    external compiler to deal with the .jsp ressource requested. The
    server can be fooled into thinking you are requesting a valid .jsp
    ressource by simply requesting a DOS-device (such as eg. aux) and
    appending the .jsp extension to it (aux.jsp). The external compiler
    is then invoked and due to the nature of the DOS-devices, this
    working thread never finishes.

    The server can handle about a 10-11 working threads, so when this
    number of active threads has been reached, the server will no
    longer service any requests. Since both HTTP and HTTPS are handled
    by the same module, both are crippled if one is attacked.

    Vendor URL:
    ===========
    You can visit the vendors webpage here: http://www.beasys.com

    Vendor response:
    ================
    The vendor was contacted on the 6th of November, 2001. On the 15th
    of November the vendor confirms that they have reproduced the issue
    on Windows 2000 and Windows NT. The issue is assigned the bug id:
    CR062542 by the vendor. On the 3rd of January, 2002 the vendor
    confirmed the release of the new service pack and that it included
    the patch for this issue.

    Corrective action:
    ==================
    Upgrade to Service Pack 2, which can be downloaded here:
    http://commerce.beasys.com

       Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------