lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: pgrundl at kpmg.dk (Peter Gründl)
Subject: KPMG-2002034: Jigsaw Webserver DOS device DoS

--------------------------------------------------------------------

Title: Jigsaw Webserver DOS device DoS

BUG-ID: 2002034
Released: 17th Jul 2002
--------------------------------------------------------------------

Problem:
========
A malicious user can tie up working threads on the web server. when
the web server runs out of working threads, the web server will no
longer service web requests.


Vulnerable:
===========
- Jigsaw V2.2.1 Distribution on Windows 2000 Server


Not Vulnerable:
===============
- Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server


Product Description:
====================
Quoted from the vendor webpage:

"Jigsaw is W3C's leading-edge Web server platform, providing a sample
 HTTP 1.1 implementation and a variety of other features on top of an
 advanced architecture implemented in Java. The W3C Jigsaw Activity
 statement explains the motivation and future plans in more detail.
 Jigsaw is an W3C Open Source Project, started May 1996."


Details:
========
Requests for /servlet/con never times out, and approximately 30 of
these requests is enough to tie up all working threads on the server.
The service needs to be restarted to recover.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.w3.org


Vendor response:
================
The vendor was notified on the 27nd of May, 2002. On the 12th of
July we verified that the problem was corrected in the latest build
(s020711).


Corrective action:
==================
Upgrade to a newer version. This issue was first resolved in build
s020711, available here: http://www.caucho.com/download/index.xtp


Author: Peter Gr?ndl (pgrundl@...g.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ