Denial of Service in BEA Weblogic Server

Reported January 8, 2002, by Peter Gründl.

VERSIONS AFFECTED

  • BEA Weblogic Server 6.1 for Windows 2000

  • BEA Weblogic Server 6.1 for Windows NT

 

DESCRIPTION

A Denial of Service (DoS) condition exists in BEA Weblogic Server 6.1. By appending a DOS device request to a .jsp file request, such as “aux.jsp,” an attacker can invoke an external compiler with a working thread that never finishes. When the intruder uses 10 or more working threads in this manner, the server will no longer process any more requests, even if the requests are legitimate.

 

VENDOR RESPONSE

 

The vendor, BEA, has released Service Pack 2 to correct this concern.

 

CREDIT
Discovered by Peter Gründl.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish