OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Peter Gründl (pgrundlkpmg.dk)
Date: Mon Jul 08 2002 - 02:25:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------------------------------------

    Title: Bea Weblogic Performance Pack Denial of Service

    BUG-ID: 2002029
    Released: 8th Jul 2002
    --------------------------------------------------------------------

    Problem:
    ========
    If the performance pack is enabled, the Bea Weblogic Server can be
    crashed by a malicious user. The performance pack is enabled in a
    default installation.

    Vulnerable:
    ===========
    - Bea Weblogic 7.0 on Windows 2000 Server

    The vendor has reproduced the issue on:
    BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 on
    Microsoft NT or Windows 2000.

    Product Description:
    ====================
    Quoted from the vendor webpage:

    "Designed for enterprise applications that demand the flexibility
     and security of server-side components in Java, BEA WebLogic ServerT
     brings scalability, performance, and fault tolerance to mission-
     critical Web-based solutions. BEA WebLogic Server is an award-
     winning Java application server for developing, deploying, and
     managing Web applications. BEA WebLogic Server also offers the most
     complete implementation of the Java 2 Enterprise Edition standard -
     including Enterprise JavaBeans."

    Details:
    ========
    The Bea Weblogic Server is vulnerable to a data/connection flooding
    that will result in the web service crashing with a report of an
    error in NTDLL.DLL.

    Vendor URL:
    ===========
    You can visit the vendor webpage here: http://www.bea.com

    Vendor response:
    ================
    The vendor was notified on the 1st of May, 2002. On the 2nd of
    May, 2002 the vendor had reproduced the issue and assigned
    case number 324070 and change request CR076409 to the issue.
    On the 17th of May, 2002 the vendor supplied us with a
    workaround for the issue. On the 3rd of July, the vendor issued
    an official patch for the issue.

    Corrective action:
    ==================
    As a temporary workaround, you can disable the performance pack:

    1. Start the WebLogic Server Console.
    2. Open the Servers folder in the navigation tree.
    3. Select your server in the Servers folder.
    4. Select the Configuration tab.
    5. Select the Tuning tab.
    6. If the "Native IO Enabled" check box is selected, uncheck it.
    7. Click Apply.
    8. Restart your server.

    The vendor released bulletin, containing links to the official
    patches, can be accessed through this URL (wrapped for readability):

    http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
    highlight=advisoriesnotifications&path=components/dev2dev
    /resourcelibrary/advisoriesnotifications/advisory_BEA02-19.htm

    Author: Peter Gründl (pgrundlkpmg.dk)

    --------------------------------------------------------------------
    KPMG is not responsible for the misuse of the information we provide
    through our security advisories. These advisories are a service to
    the professional security community. In no event shall KPMG be lia-
    ble for any consequences whatsoever arising out of or in connection
    with the use or spread of this information.
    --------------------------------------------------------------------