Re: Denial of Service vulnerability on Windows fixed in 4.0.4?

2002-08-29 Thread Josh Schroeder 

Having not heard anything from this list about my
question, I emailed [EMAIL PROTECTED] In case
anyone wonders about this bug in the future, here's
the answer.

-Josh

-Original Message-
From: Remy Maucherat [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 29, 2002 5:01 AM
To: [EMAIL PROTECTED]
Subject: Re: Tomcat Denial of Service attack


Josh Schroeder wrote:
> To whom it may concern,
> 
> I saw this on bugtraq (full text included below):
> http://online.securityfocus.com/archive/1/277940
> 
> It states a vulnerability when Tomcat 4.0.3 on Wink
2K/NT is sent a large
> amount of null characters.
> 
> The document states that the issue is resolved in
4.1.3 beta.
> 
> Is it resolved in 4.0.4 as well?

I failed to find a place where an actual exploit would
be detailed, so I 
don't know for sure if it is fixed in 4.0.4.
Some similar DOS issues were fixed in 4.0.4, though.

Remy

--- Josh Schroeder <[EMAIL PROTECTED]> wrote:
> Hi all,
> 
> I'm deploying Tomcat 4.0.4 stand-alone (no Apache)
> in
> a production environment and came across the bug
> included below on Bugtraq. Basically, it says Tomcat
> 4.0.3 is vulnerable to a DoS attack based on sending
> a
> bunch of bad requests with "null characters" that
> hang
> all the processing threads.
> 
> The report says this bug is was found in 4.0.3 in
> late
> May and confirmed fixed in the 4.1.3 beta in early
> June.
> 
> What I would like to know is if this bug is fixed in
> 4.0.4 as well, since I can't deploy beta code to a
> production server. I've done a bit of research and
> can't seem to find the answer on the web or in the
> release notes.
> 
> Thanks for any help!
> 
> -Josh
> 
> --
>

> 
> Title: Apache Tomcat Denial of Service
> 
> BUG-ID: 2002025
> Released: 20th Jun 2002
>

> 
> Problem:
> 
> A malicious user could tie up all 75 working threads
> and cause a
> Denial of Service situation.
> 
> 
> Vulnerable:
> ===
> - Apache Tomcat 4.0.3 on Windows 2000 Server
> 
> 
> Not Vulnerable:
> ===
> - Apache Tomcat 4.1.3 beta on Windows 2000 Server
> 
> 
> Details:
> 
> By sending a large amount of null characters to the
> web service
> it is possible to cause a working thread to hang.
> The
> default
> installation has 75 working threads, which means
> this
> malformed
> request has to be sent to the server 75 times.
> 
> 
> Vendor URL:
> ===
> You can visit the vendor webpage here:
> http://jakarta.apache.org
> 
> 
> Vendor Response:
> 
> This was reported to the vendor on the 23rd of May,
> 2002. We
> never heard back from the vendor. On the 10th of
> June,
> 2002, the
> issue was confirmed fixed in the latest build.
> 
> 
> Corrective action:
> ==
> Upgrade to V4.1.3 beta, which is available here (URL
> is wrapped):
> 
>
"http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release
> /v4.1.3-beta/"
> 
> 
> Author: Peter Gründl ([EMAIL PROTECTED])
> 
>

> KPMG is not responsible for the misuse of the
> information we provide
> through our security advisories. These advisories
> are
> a service to
> the professional security community. In no event
> shall
> KPMG be lia-
> ble for any consequences whatsoever arising out of
> or
> in connection
> with the use or spread of this information.
>

> 
> 
> __
> Do You Yahoo!?
> Yahoo! Finance - Get real-time stock quotes
> http://finance.yahoo.com
> 
> --
> To unsubscribe, e-mail:  
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
> <mailto:[EMAIL PROTECTED]>
> 



__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Denial of Service vulnerability on Windows fixed in 4.0.4?

2002-08-28 Thread Josh Schroeder 

Hi all,

I'm deploying Tomcat 4.0.4 stand-alone (no Apache) in
a production environment and came across the bug
included below on Bugtraq. Basically, it says Tomcat
4.0.3 is vulnerable to a DoS attack based on sending a
bunch of bad requests with "null characters" that hang
all the processing threads.

The report says this bug is was found in 4.0.3 in late
May and confirmed fixed in the 4.1.3 beta in early
June.

What I would like to know is if this bug is fixed in
4.0.4 as well, since I can't deploy beta code to a
production server. I've done a bit of research and
can't seem to find the answer on the web or in the
release notes.

Thanks for any help!

-Josh

--


Title: Apache Tomcat Denial of Service

BUG-ID: 2002025
Released: 20th Jun 2002


Problem:

A malicious user could tie up all 75 working threads
and cause a
Denial of Service situation.


Vulnerable:
===
- Apache Tomcat 4.0.3 on Windows 2000 Server


Not Vulnerable:
===
- Apache Tomcat 4.1.3 beta on Windows 2000 Server


Details:

By sending a large amount of null characters to the
web service
it is possible to cause a working thread to hang. The
default
installation has 75 working threads, which means this
malformed
request has to be sent to the server 75 times.


Vendor URL:
===
You can visit the vendor webpage here:
http://jakarta.apache.org


Vendor Response:

This was reported to the vendor on the 23rd of May,
2002. We
never heard back from the vendor. On the 10th of June,
2002, the
issue was confirmed fixed in the latest build.


Corrective action:
==
Upgrade to V4.1.3 beta, which is available here (URL
is wrapped):

"http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release
/v4.1.3-beta/"


Author: Peter Gründl ([EMAIL PROTECTED])


KPMG is not responsible for the misuse of the
information we provide
through our security advisories. These advisories are
a service to
the professional security community. In no event shall
KPMG be lia-
ble for any consequences whatsoever arising out of or
in connection
with the use or spread of this information.



__
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

--
To unsubscribe, e-mail:   
For additional commands, e-mail: