Re: Windows NT 4.0 with IBM JVM Denial of Service

[Marc Schoenefeld <schonef () uni-muenster de>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 23 Jul 2003, @stake Advisories wrote:

[..]
> Advisory Name: Windows NT 4.0 with IBM JVM Denial of Service
>  Release Date: 07/23/2003
>   Application: Any Java application, other applications
>                are possible attack vectors.
>      Platform: Java 2 Runtime Environment, Standard Edition
>                (build 1.3.0), Windows NT 4.0
>      Severity: Denial of service

Analysis:
Windows NT 4.0 : outdated
IBM JAVA 1.3.0 : outdated

File handling in servlets : Bad design anti-pattern (better use EJB)



> Recommendation:
>
> Java developers should identify all occurances and perform data
> validation where java.io.getCanonicalPath is used.

- - That does not help if the getCanonicalPath is used in a
  library that is not available in source code. You might
  have to use a decompiler or use a tool that searches for
  nested calls to such routines. I have written such a tool if
  you like to use it contact me via email.

- - But generally: Developers should think about system design that does not
  base on direct file access in the web-tier (least function principle).

> NT 4.0 Administrators running servers which use Java servlets
> should consider installing the Microsoft supplied patch.

- - DEPLOYERS should update their JVM (if their code
  does not use proprietary IBM stuff) to an uptodate JVM like
  Sun JRE 1.4.1_03.

Cheers
Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (AIX)
Comment: For info see http://www.gnupg.org

iD8DBQE/IXcHqCaQvrKNUNQRAhbZAJwKjg+jSAOceGRehLaZO1HhET6UygCeN1kc
53vU1gWicAZObo19fSWjxbc=
=DLEd
-----END PGP SIGNATURE-----