--------------------------------------------------------------------

Title: Bea Weblogic Performance Pack Denial of Service

BUG-ID: 2002029
Released: 8th Jul 2002
--------------------------------------------------------------------

Problem:
========
If the performance pack is enabled, the Bea Weblogic Server can be
crashed by a malicious user. The performance pack is enabled in a
default installation.


Vulnerable:
===========
- Bea Weblogic 7.0 on Windows 2000 Server

The vendor has reproduced the issue on:
BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 on
Microsoft NT or Windows 2000.


Product Description:
====================
Quoted from the vendor webpage:

"Designed for enterprise applications that demand the flexibility
 and security of server-side components in Java, BEA WebLogic ServerT
 brings scalability, performance, and fault tolerance to mission-
 critical Web-based solutions. BEA WebLogic Server is an award-
 winning Java application server for developing, deploying, and
 managing Web applications. BEA WebLogic Server also offers the most
 complete implementation of the Java 2 Enterprise Edition standard -
 including Enterprise JavaBeans."


Details:
========
The Bea Weblogic Server is vulnerable to a data/connection flooding
that will result in the web service crashing with a report of an
error in NTDLL.DLL.


Vendor URL:
===========
You can visit the vendor webpage here: http://www.bea.com


Vendor response:
================
The vendor was notified on the 1st of May, 2002. On the 2nd of
May, 2002 the vendor had reproduced the issue and assigned
case number 324070 and change request CR076409 to the issue.
On the 17th of May, 2002 the vendor supplied us with a
workaround for the issue. On the 3rd of July, the vendor issued
an official patch for the issue.


Corrective action:
==================
As a temporary workaround, you can disable the performance pack:

1. Start the WebLogic Server Console.
2. Open the Servers folder in the navigation tree.
3. Select your server in the Servers folder.
4. Select the Configuration tab.
5. Select the Tuning tab.
6. If the "Native IO Enabled" check box is selected, uncheck it.
7. Click Apply.
8. Restart your server.


The vendor released bulletin, containing links to the official
patches, can be accessed through this URL (wrapped for readability):

http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?
highlight=advisoriesnotifications&path=components/dev2dev
/resourcelibrary/advisoriesnotifications/advisory_BEA02-19.htm



Author: Peter Gründl (pgrundl@kpmg.dk)

--------------------------------------------------------------------
KPMG is not responsible for the misuse of the information we provide
through our security advisories. These advisories are a service to
the professional security community. In no event shall KPMG be lia-
ble for any consequences whatsoever arising out of or in connection
with the use or spread of this information.
--------------------------------------------------------------------