-------------------------------------------------------------------- Title: Bea Weblogic Performance Pack Denial of Service BUG-ID: 2002029 Released: 8th Jul 2002 -------------------------------------------------------------------- Problem: ======== If the performance pack is enabled, the Bea Weblogic Server can be crashed by a malicious user. The performance pack is enabled in a default installation. Vulnerable: =========== - Bea Weblogic 7.0 on Windows 2000 Server The vendor has reproduced the issue on: BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 on Microsoft NT or Windows 2000. Product Description: ==================== Quoted from the vendor webpage: "Designed for enterprise applications that demand the flexibility and security of server-side components in Java, BEA WebLogic ServerT brings scalability, performance, and fault tolerance to mission- critical Web-based solutions. BEA WebLogic Server is an award- winning Java application server for developing, deploying, and managing Web applications. BEA WebLogic Server also offers the most complete implementation of the Java 2 Enterprise Edition standard - including Enterprise JavaBeans." Details: ======== The Bea Weblogic Server is vulnerable to a data/connection flooding that will result in the web service crashing with a report of an error in NTDLL.DLL. Vendor URL: =========== You can visit the vendor webpage here: http://www.bea.com Vendor response: ================ The vendor was notified on the 1st of May, 2002. On the 2nd of May, 2002 the vendor had reproduced the issue and assigned case number 324070 and change request CR076409 to the issue. On the 17th of May, 2002 the vendor supplied us with a workaround for the issue. On the 3rd of July, the vendor issued an official patch for the issue. Corrective action: ================== As a temporary workaround, you can disable the performance pack: 1. Start the WebLogic Server Console. 2. Open the Servers folder in the navigation tree. 3. Select your server in the Servers folder. 4. Select the Configuration tab. 5. Select the Tuning tab. 6. If the "Native IO Enabled" check box is selected, uncheck it. 7. Click Apply. 8. Restart your server. The vendor released bulletin, containing links to the official patches, can be accessed through this URL (wrapped for readability): http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp? highlight=advisoriesnotifications&path=components/dev2dev /resourcelibrary/advisoriesnotifications/advisory_BEA02-19.htm Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------
