From pgrundl@kpmg.dk Thu Jul 18 02:00:05 2002 From: "[iso-8859-1] Peter Gründl" To: vulnwatch Date: Wed, 17 Jul 2002 11:36:33 +0200 Subject: [VulnWatch] KPMG-2002034: Jigsaw Webserver DOS device DoS [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -------------------------------------------------------------------- Title: Jigsaw Webserver DOS device DoS BUG-ID: 2002034 Released: 17th Jul 2002 -------------------------------------------------------------------- Problem: ======== A malicious user can tie up working threads on the web server. when the web server runs out of working threads, the web server will no longer service web requests. Vulnerable: =========== - Jigsaw V2.2.1 Distribution on Windows 2000 Server Not Vulnerable: =============== - Jigsaw V2.2.1 Dev/2.2/20020711 on Windows 2000 Server Product Description: ==================== Quoted from the vendor webpage: "Jigsaw is W3C's leading-edge Web server platform, providing a sample HTTP 1.1 implementation and a variety of other features on top of an advanced architecture implemented in Java. The W3C Jigsaw Activity statement explains the motivation and future plans in more detail. Jigsaw is an W3C Open Source Project, started May 1996." Details: ======== Requests for /servlet/con never times out, and approximately 30 of these requests is enough to tie up all working threads on the server. The service needs to be restarted to recover. Vendor URL: =========== You can visit the vendor webpage here: http://www.w3.org Vendor response: ================ The vendor was notified on the 27nd of May, 2002. On the 12th of July we verified that the problem was corrected in the latest build (s020711). Corrective action: ================== Upgrade to a newer version. This issue was first resolved in build s020711, available here: http://www.caucho.com/download/index.xtp Author: Peter Gründl (pgrundl@kpmg.dk) -------------------------------------------------------------------- KPMG is not responsible for the misuse of the information we provide through our security advisories. These advisories are a service to the professional security community. In no event shall KPMG be lia- ble for any consequences whatsoever arising out of or in connection with the use or spread of this information. --------------------------------------------------------------------