You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Jon Scott Stevens <jo...@latchkey.com> on 2002/01/08 20:36:01 UTC

FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

I'm curious how Tomcat deals with this issue.

Oh yea. Yet another reason why JSP sucks. :-)

-jon

------ Forwarded Message
From: Peter Gründl <pg...@kpmg.dk>
Date: Tue, 8 Jan 2002 16:33:26 +0100
To: <bu...@securityfocus.com>
Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

--------------------------------------------------------------------

           -=>Bea Weblogic DOS-device Denial of Service<=-
                      courtesy of KMPG Denmark

BUG-ID: 2002003          Released: 8th Jan 2002
--------------------------------------------------------------------
Problem:
========
A flaw in the way the Bea Weblogic server handles specific requests
containing DOS-devices can cause a Denial of Service situation,
where web requests are no longer being serviced.

Vulnerable:
===========
- Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
- Older releases and other pure java application servers could be
  vulnerable, but haven't been tested.

Details:
========
When the Weblogic server receives a .jsp request, it invokes an
external compiler to deal with the .jsp ressource requested. The
server can be fooled into thinking you are requesting a valid .jsp
ressource by simply requesting a DOS-device (such as eg. aux) and
appending the .jsp extension to it (aux.jsp). The external compiler
is then invoked and due to the nature of the DOS-devices, this
working thread never finishes.

The server can handle about a 10-11 working threads, so when this
number of active threads has been reached, the server will no
longer service any requests. Since both HTTP and HTTPS are handled
by the same module, both are crippled if one is attacked.

Vendor URL:
===========
You can visit the vendors webpage here: http://www.beasys.com

Vendor response:
================
The vendor was contacted on the 6th of November, 2001. On the 15th
of November the vendor confirms that they have reproduced the issue
on Windows 2000 and Windows NT. The issue is assigned the bug id:
CR062542 by the vendor. On the 3rd of January, 2002 the vendor
confirmed the release of the new service pack and that it included
the patch for this issue.

Corrective action:
==================
Upgrade to Service Pack 2, which can be downloaded here:
http://commerce.beasys.com

   Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

------ End of Forwarded Message

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service

Posted by Glenn Nielsen <gl...@voyager.apg.more.net>.

This isn't a problem for me because:

1.  I run Tomcat under unix.

2.  I run Tomcat with the Java SecurityManager enabled and
    a very restrictive security policy.

But I agree that Tomcat should not try to serve that page
under an MS OS.

Regards,

Glenn

Jon Scott Stevens wrote:
> 
> I'm curious how Tomcat deals with this issue.
> 
> Oh yea. Yet another reason why JSP sucks. :-)
> 
> -jon
> 
> ------ Forwarded Message
> From: Peter Gründl <pg...@kpmg.dk>
> Date: Tue, 8 Jan 2002 16:33:26 +0100
> To: <bu...@securityfocus.com>
> Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service
> 
> --------------------------------------------------------------------
> 
>            -=>Bea Weblogic DOS-device Denial of Service<=-
>                       courtesy of KMPG Denmark
> 
> BUG-ID: 2002003          Released: 8th Jan 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in the way the Bea Weblogic server handles specific requests
> containing DOS-devices can cause a Denial of Service situation,
> where web requests are no longer being serviced.
> 
> Vulnerable:
> ===========
> - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000
> - Older releases and other pure java application servers could be
>   vulnerable, but haven't been tested.
> 
> Details:
> ========
> When the Weblogic server receives a .jsp request, it invokes an
> external compiler to deal with the .jsp ressource requested. The
> server can be fooled into thinking you are requesting a valid .jsp
> ressource by simply requesting a DOS-device (such as eg. aux) and
> appending the .jsp extension to it (aux.jsp). The external compiler
> is then invoked and due to the nature of the DOS-devices, this
> working thread never finishes.
> 
> The server can handle about a 10-11 working threads, so when this
> number of active threads has been reached, the server will no
> longer service any requests. Since both HTTP and HTTPS are handled
> by the same module, both are crippled if one is attacked.
> 
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.beasys.com
> 
> Vendor response:
> ================
> The vendor was contacted on the 6th of November, 2001. On the 15th
> of November the vendor confirms that they have reproduced the issue
> on Windows 2000 and Windows NT. The issue is assigned the bug id:
> CR062542 by the vendor. On the 3rd of January, 2002 the vendor
> confirmed the release of the new service pack and that it included
> the patch for this issue.
> 
> Corrective action:
> ==================
> Upgrade to Service Pack 2, which can be downloaded here:
> http://commerce.beasys.com
> 
>    Author: Peter Gründl (pgrundl@kpmg.dk)
> 
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
> 
> ------ End of Forwarded Message
> 
> --
> To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>