This also causes Tomcat 3.3 to hang a thread when it tries to read aux.ver. Tomcat 3.2.4 doesn't appear to have a problem and reports a "not found" error. A quick test of Tomcat 4.0.1 returned a blank page without hanging.
I'll investigate and prepare, if possible, a quick patch to Tomat 3.3 and make a proposal for a Tomcat 3.3.1 beta and release. Thanks for relaying this. Cheers, Larry > -----Original Message----- > From: Jon Scott Stevens [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 08, 2002 2:36 PM > To: tomcat-dev > Subject: FW: KPMG-2002003: Bea Weblogic DOS-device Denial of Service > > > I'm curious how Tomcat deals with this issue. > > Oh yea. Yet another reason why JSP sucks. :-) > > -jon > > ------ Forwarded Message > From: Peter Gründl <[EMAIL PROTECTED]> > Date: Tue, 8 Jan 2002 16:33:26 +0100 > To: <[EMAIL PROTECTED]> > Subject: KPMG-2002003: Bea Weblogic DOS-device Denial of Service > > -------------------------------------------------------------------- > > -=>Bea Weblogic DOS-device Denial of Service<=- > courtesy of KMPG Denmark > > BUG-ID: 2002003 Released: 8th Jan 2002 > -------------------------------------------------------------------- > Problem: > ======== > A flaw in the way the Bea Weblogic server handles specific requests > containing DOS-devices can cause a Denial of Service situation, > where web requests are no longer being serviced. > > Vulnerable: > =========== > - Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000 > - Older releases and other pure java application servers could be > vulnerable, but haven't been tested. > > Details: > ======== > When the Weblogic server receives a .jsp request, it invokes an > external compiler to deal with the .jsp ressource requested. The > server can be fooled into thinking you are requesting a valid .jsp > ressource by simply requesting a DOS-device (such as eg. aux) and > appending the .jsp extension to it (aux.jsp). The external compiler > is then invoked and due to the nature of the DOS-devices, this > working thread never finishes. > > The server can handle about a 10-11 working threads, so when this > number of active threads has been reached, the server will no > longer service any requests. Since both HTTP and HTTPS are handled > by the same module, both are crippled if one is attacked. > > Vendor URL: > =========== > You can visit the vendors webpage here: http://www.beasys.com > > Vendor response: > ================ > The vendor was contacted on the 6th of November, 2001. On the 15th > of November the vendor confirms that they have reproduced the issue > on Windows 2000 and Windows NT. The issue is assigned the bug id: > CR062542 by the vendor. On the 3rd of January, 2002 the vendor > confirmed the release of the new service pack and that it included > the patch for this issue. > > Corrective action: > ================== > Upgrade to Service Pack 2, which can be downloaded here: > http://commerce.beasys.com > > > Author: Peter Gründl ([EMAIL PROTECTED]) > > -------------------------------------------------------------------- > KPMG is not responsible for the misuse of the information we provide > through our security advisories. These advisories are a service to > the professional security community. In no event shall KPMG be lia- > ble for any consequences whatsoever arising out of or in connection > with the use or spread of this information. > -------------------------------------------------------------------- > > ------ End of Forwarded Message > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
