[..]
>
> Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
> Release Date: 07/23/2003
> Application: Any Java application, other applications
> are possible attack vectors.
> Platform: Java 2 Runtime Environment, Standard Edition
> (build 1.3.0), Windows NT 4.0
> Severity: Denial of service
Analysis:
Windows NT 4.0 : outdated
IBM JAVA 1.3.0 : outdated
File handling in servlets : Bad design anti-pattern (better use EJB)
> Recommendation:
>
> Java developers should identify all occurances and perform data
> validation where java.io.getCanonicalPath is used.
- - That does not help if the getCanonicalPath is used in a
library that is not available in source code. You might
have to use a decompiler or use a tool that searches for
nested calls to such routines. I have written such a tool if
you like to use it contact me via email.
- - But generally: Developers should think about system design that does not
base on direct file access in the web-tier (least function principle).
>
> NT 4.0 Administrators running servers which use Java servlets
> should consider installing the Microsoft supplied patch.
- - DEPLOYERS should update their JVM (if their code
does not use proprietary IBM stuff) to an uptodate JVM like
Sun JRE 1.4.1_03.
Cheers
Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org
Hash: SHA1
On Wed, 23 Jul 2003, @stake Advisories wrote:
[..]
>
> Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
> Release Date: 07/23/2003
> Application: Any Java application, other applications
> are possible attack vectors.
> Platform: Java 2 Runtime Environment, Standard Edition
> (build 1.3.0), Windows NT 4.0
> Severity: Denial of service
Analysis:
Windows NT 4.0 : outdated
IBM JAVA 1.3.0 : outdated
File handling in servlets : Bad design anti-pattern (better use EJB)
> Recommendation:
>
> Java developers should identify all occurances and perform data
> validation where java.io.getCanonicalPath is used.
- - That does not help if the getCanonicalPath is used in a
library that is not available in source code. You might
have to use a decompiler or use a tool that searches for
nested calls to such routines. I have written such a tool if
you like to use it contact me via email.
- - But generally: Developers should think about system design that does not
base on direct file access in the web-tier (least function principle).
>
> NT 4.0 Administrators running servers which use Java servlets
> should consider installing the Microsoft supplied patch.
- - DEPLOYERS should update their JVM (if their code
does not use proprietary IBM stuff) to an uptodate JVM like
Sun JRE 1.4.1_03.
Cheers
Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org
iD8DBQE/IXcHqCaQvrKNUNQRAhbZAJwKjg+jSAOceGRehLaZO1HhET6UygCeN1kc
53vU1gWicAZObo19fSWjxbc=
=DLEd
-----END PGP SIGNATURE-----
[ reply ]