From pgrundl@kpmg.dk Mon Jun 17 09:18:04 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Mon, 17 Jun 2002 09:23:43 +0200 Subject: [VulnWatch] KPMG-2002021: Resin Large Parameter Denial of Service [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Resin Large Parameter Denial of Service BUG-ID: 2002021 Released: 17th Jun 2002 -------------------------------------------------------------------- Problem: ======== It is possible for a malicious user to cause a Denial of Service by requesting certain malformed URLs from the Resin web server. Vulnerable: =========== - Resin 2.1.1 standalone on Windows 2000 Server Not Vulnerable: =============== - Resin 2.1.2 standalone on Windows 2000 Server Details: ======== By defining large variables when accessing non-existant ressources, it is possible to consume the entire workspace on the server. This will result in hanging parts of or the entire web server. Vendor URL: =========== You can visit the vendor webpage here: http://www.caucho.com Vendor Response: ================ This was reported to the vendor on the 22nd of May, 2002. On the 11th of June, 2002 the vendor released a new version that corrects the issue. Corrective action: ================== Upgrade to version 2.1.2 available from: http://www.caucho.com/download/ Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------