ID: 00318
Ref: 292/2005
Date: 15 April 2005:16:53:43
Version: 1
Title: Sun - Java System Web Server Denial-of-Service Vulnerability (57760)
Abstract: A vulnerability in certain releases of the Sun Java System Web Server (formerly Sun ONE Web Server and iPlanet Web Server) may allow a remote user to cause the web server to become unresponsive, causing a Denial-of-Service (DOS) condition.
Vendors affected: Sun
Applications affected: Sun
Title
=====
Sun - Java System Web Server Denial-of-Service Vulnerability (57760)
Detail
======
PLEASE NOTE- The following is a plain text copy of a Sun SunSolve web page,
which is located at:
http://sunsolve.sun.com/search/printfriendly.do?assetkey=1-26-57734-1
Document Audience: PUBLIC
Document ID: 57760
Title: Sun Java System Web Server Denial-of-Service Vulnerability
Update Date: 2005-04-14
- --------------------------------------------------------------------------------
Description
- --------------------------------------------------------------------------------
Sun(sm) Alert Notification
Sun Alert ID: 57760
Synopsis: Sun Java System Web Server Denial-of-Service Vulnerability
Category: Security
Product: Sun Java System Web Server
BugIDs: 4852204
Avoidance: Upgrade
State: Resolved
Date Released: 13-Apr-2005
Date Closed: 13-Apr-2005
Date Modified:
1. Impact
A vulnerability in certain releases of the Sun Java System Web Server (formerly
Sun ONE Web Server and iPlanet Web Server) may allow a remote user to cause the
web server to become unresponsive, causing a Denial-of-Service (DOS) condition.
2. Contributing Factors
This issue can occur in the following releases:
Sun Java System Web Server 6.0 Service Pack 7 and earlier (Windows platforms only)
Notes:
Sun Java System Web Server versions 6.1.x are not affected by this issue.
This issue only affects Sun Java System Web Servers running on the Windows platform.
3. Symptoms
The server becomes unresponsive.
- --------------------------------------------------------------------------------
Solution Summary
- --------------------------------------------------------------------------------
4. Relief/Workaround
To work around the described issue, sites may wish to temporarily disable Java
for all Web Server instances (Java is enabled by default), by doing the following :
To start an Admin Server instance, open a Windows command prompt and use the command
line to start or stop an Admin Server, as in the following example:
1) Change to the installation directory for the Web Server Admin Server. For
example, using the default directory:
% cd \Sun\Webserver\https-admserv
2) Start the Web Server Admin Server process:
% startsvr.bat
or,
1. Use the menu from the "Start" then "Programs" selections, or Double-click the
"Start Web Server Administration Server" icon (if installed on the Desktop), then:
2. Log in to the admin tool by going to the http://
:
3. Select the Admin Server instance and click the "Manage" button.
4. Click the "Java" tab and open the "Enable/Disable Servlet/JSP" link
5. Uncheck "Enable Java Globally"
6. Click "OK" and "Apply All Changes" then restart the instance
Note: If you disable Java in this fashion, you will no longer be able to run Java
applications for that instance. It is recommended to upgrade to the latest service
pack if the workaround is unsuitable for your environment. Please use the link below
in "Resolution" for Service Pack download information.
5. Resolution
This issue is addressed in the following releases:
Sun Java System Web Server 6.0 Service Pack 8 and later
Sun Java System Web Server 6.0 Service Pack 8 is available for download at http://wwws.sun.com/software/download/products/40968fe6.html.
This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun
Alert notification may contain information provided by third parties. The issues described
in this Sun Alert notification may or may not impact your system(s). Sun makes no
representations, warranties, or guarantees as to the information contained herein. ANY AND
ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS
DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and
confidential information. It is being provided to you pursuant to the provisions of your
agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com
Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by
these agreements.
Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A.
All rights reserved.
- --------------------------------------------------------------------------------
Applies To
- --------------------------------------------------------------------------------
-
- --------------------------------------------------------------------------------
Attachments
- --------------------------------------------------------------------------------
-