[1][USEMAP] [2][USEMAP] [3][LINK] Allaire Security Bulletin (ASB00-30) JRun 3.0: Patch available for "multiple .'s denial of service" issue Originally Posted: October 31, 2000 Last Updated: October 31, 2000 Summary Under certain circumstances, the included JRun 3.0 http servlet server may improperly utilize server resources with deliberately malformed URIs. This behavior may lead to a denial of service condition if the server is flooded with these kinds of requests. Issue Under certain circumstances, submitting a malformed URI to JRun 3.0 will cause the servlet server to spend too many resources parsing the URI, which will cause it to lock up for a short time. Sending many of these malformed requests at once could lock up a server for many minutes. For instance, if a URI resembling http://localhost/servlet/............ is furnished, a perceptible lag between request and response can be observed. Further manipulation of the URI can yield more extreme results. Please note that this holds only for the included JRun servlet server, not any other vendor's web server. Affected Software Versions * JRun 3.0 (all editions) * JRun 3.0 SP1 (all editions) What Allaire is Doing Allaire has published this bulletin, notifying customers of the problem. Allaire has also released a patch that should resolve the issue in JRun 3.0. The patch is available for immediate download and application. JRun 3.0 users can find the patch for installation at the following URIs -- use the patch appropriate to your platform -- instructions for installation are included: Windows 95/98/NT/2000 and Windows NT Alpha: [4]http://download.allaire.com/patches/TrailingDots.ZIP UNIX/Linux patch - GNU gzip/tar: [5]http://download.allaire.com/patches/TrailingDots.tgz It is recommended that you back up your existing data before applying any patch. What Customers Should Do Customers should download and apply the patch provided. Please note: As always, customers should test patch changes in a testing environment before modifying production servers. Acknowledgements Special thanks to Shreeraj Shah of [6]Foundstone, Inc. for bringing this issue to our attention. Revisions October 31, 2000 -- Bulletin first created. Reporting Security Issues Allaire is committed to addressing security issues and providing customers with the information on how they can protect themselves. If you identify what you believe may be a security issue with an Allaire product, please send an email to secure@allaire.com. We will work to appropriately address and communicate the issue. Receiving Security Bulletins When Allaire becomes aware of a security issue that we believe significantly affects our products or customers, we will notify customers when appropriate. Typically this notification will be in the form of a security bulletin explaining the issue and the response. Allaire customers who would like to receive notification of new security bulletins when they are released can sign up for our security notification service. For additional information on security issues at Allaire, please visit the Security Zone at: [7]http://www.allaire.com/security. THE INFORMATION PROVIDED BY ALLAIRE IN THIS BULLETIN IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. ALLAIRE DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL ALLAIRE CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF ALLAIRE CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Allaire reserves the right, from time to time, to update the information in this document with current information. < a l l a i r e > Copyright © 1995-2000 Allaire Corp., All rights reserved. [8]Year 2000 (Y2K) [9]Site problems? [10]Service questions? [11]Privacy Policy References 1. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=18085&Method=Full#allaireHome 2. LYNXIMGMAP:http://www.allaire.com/handlers/index.cfm?ID=18085&Method=Full#tools 3. javascript:history.back() 4. http://download.allaire.com/patches/TrailingDots.ZIP 5. http://download.allaire.com/patches/TrailingDots.tgz 6. http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=13 7. http://www.allaire.com/security 8. http://www.allaire.com/developer/year2000 9. mailto:webmaster@allaire.com 10. mailto:info@allaire.com 11. http://www.allaire.com/privacy/