Bugtraq mailing list archives
Re: Windows NT 4.0 with IBM JVM Denial of Service
From: Marc Schoenefeld <schonef () uni-muenster de>
Date: Fri, 25 Jul 2003 20:29:24 +0200 (MES)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 23 Jul 2003, @stake Advisories wrote: [..]
Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service Release Date: 07/23/2003 Application: Any Java application, other applications are possible attack vectors. Platform: Java 2 Runtime Environment, Standard Edition (build 1.3.0), Windows NT 4.0 Severity: Denial of service
Analysis: Windows NT 4.0 : outdated IBM JAVA 1.3.0 : outdated File handling in servlets : Bad design anti-pattern (better use EJB)
Recommendation: Java developers should identify all occurances and perform data validation where java.io.getCanonicalPath is used.
- - That does not help if the getCanonicalPath is used in a library that is not available in source code. You might have to use a decompiler or use a tool that searches for nested calls to such routines. I have written such a tool if you like to use it contact me via email. - - But generally: Developers should think about system design that does not base on direct file access in the web-tier (least function principle).
NT 4.0 Administrators running servers which use Java servlets should consider installing the Microsoft supplied patch.
- - DEPLOYERS should update their JVM (if their code does not use proprietary IBM stuff) to an uptodate JVM like Sun JRE 1.4.1_03. Cheers Marc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (AIX) Comment: For info see http://www.gnupg.org iD8DBQE/IXcHqCaQvrKNUNQRAhbZAJwKjg+jSAOceGRehLaZO1HhET6UygCeN1kc 53vU1gWicAZObo19fSWjxbc= =DLEd -----END PGP SIGNATURE-----
Current thread:
- Windows NT 4.0 with IBM JVM Denial of Service @stake Advisories (Jul 23)
- Re: Windows NT 4.0 with IBM JVM Denial of Service Marc Schoenefeld (Jul 25)
- <Possible follow-ups>
- RE: Windows NT 4.0 with IBM JVM Denial of Service Angelidis, Fotis(NSASOUDABAY) (Jul 25)