CVE-2002-1030
CVSS2.6
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:35
NMCO    

[原文]Race condition in Performance Pack in BEA WebLogic Server and Express 5.1.x, 6.0.x, 6.1.x and 7.0 allows remote attackers to cause a denial of service (crash) via a flood of data and connections.


[CNNVD]BEA Systems WebLogic Express竞争条件远程拒绝服务漏洞(CNNVD-200210-148)

        
        BEA Systems WebLogic Server是一款企业级别的WEB和无线应用服务程序,BEA WebLogic Express是为WEB和无线应用程序的动态数据进行服务的平台,可使用在多种Linux/Unix操作系统中,也可以使用在Windows操作系统下。
        BEA WebLogic Express代码中存在竞争条件漏洞,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        如果BEA WebLogic Express中的性能捆绑(performance pack)功能开启的情况下,攻击者可以提交大量的数据连接,可导致由于NTDLL.DLL产生错误而使服务崩溃,停止对正常通信的响应。
        

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:bea:weblogic_server:6.1:sp1BEA Systems WebLogic Server 6.1 SP1
cpe:/a:bea:weblogic_server:5.1:sp6BEA Systems WebLogic Server 5.1 SP6
cpe:/a:bea:weblogic_server:5.1:sp6:expressBEA Systems WebLogic Express 5.1 SP6
cpe:/a:bea:weblogic_server:6.1::express
cpe:/a:bea:weblogic_server:5.1:sp9BEA Systems WebLogic Server 5.1 SP9
cpe:/a:bea:weblogic_server:5.1:sp4:expressBEA Systems WebLogic Express 5.1 SP4
cpe:/a:bea:weblogic_server:6.1:sp1:expressBEA Systems WebLogic Express 6.1 SP1
cpe:/a:bea:weblogic_server:5.1:sp3BEA Systems WebLogic Server 5.1 SP3
cpe:/a:bea:weblogic_server:5.1:sp1:expressBEA Systems WebLogic Express 5.1 SP1
cpe:/a:bea:weblogic_server:6.1:sp2:expressBEA Systems WebLogic Express 6.1 SP2
cpe:/a:bea:weblogic_server:5.1:sp5:expressBEA Systems WebLogic Express 5.1 SP5
cpe:/a:bea:weblogic_server:5.1:sp1BEA Systems WebLogic Server 5.1 SP1
cpe:/a:bea:weblogic_server:5.1:sp2:expressBEA Systems WebLogic Express 5.1 SP2
cpe:/a:bea:weblogic_server:5.1:sp9:expressBEA Systems WebLogic Express 5.1 SP9
cpe:/a:bea:weblogic_server:6.0BEA Systems WebLogic Server 6.0
cpe:/a:bea:weblogic_server:7.0::express
cpe:/a:bea:weblogic_server:6.0::express
cpe:/a:bea:weblogic_server:6.1:sp3:expressBEA Systems WebLogic Express 6.1 SP3
cpe:/a:bea:weblogic_server:6.0:sp2:express
cpe:/a:bea:weblogic_server:5.1:sp4BEA Systems WebLogic Server 5.1 SP4
cpe:/a:bea:weblogic_server:6.0:sp2
cpe:/a:bea:weblogic_server:6.1:sp2BEA Systems WebLogic Server 6.1 SP2
cpe:/a:bea:weblogic_server:6.1BEA Systems WebLogic Server 6.1
cpe:/a:bea:weblogic_server:5.1:sp12:expressBEA Systems WebLogic Express 5.1 SP12
cpe:/a:bea:weblogic_server:5.1:sp5BEA Systems WebLogic Server 5.1 SP5
cpe:/a:bea:weblogic_server:6.1:sp3BEA Systems WebLogic Server 6.1 SP3
cpe:/a:bea:weblogic_server:5.1:sp7:expressBEA Systems WebLogic Express 5.1 SP7
cpe:/a:bea:weblogic_server:5.1:sp2BEA Systems WebLogic Server 5.1 SP2
cpe:/a:bea:weblogic_server:5.1:sp3:expressBEA Systems WebLogic Express 5.1 SP3
cpe:/a:bea:weblogic_server:6.0:sp1
cpe:/a:bea:weblogic_server:5.1:sp12BEA Systems WebLogic Server 5.1 SP12
cpe:/a:bea:weblogic_server:5.1:sp10BEA Systems WebLogic Server 5.1 SP10
cpe:/a:bea:weblogic_server:5.1:sp10:expressBEA Systems WebLogic Express 5.1 SP10
cpe:/a:bea:weblogic_server:5.1:sp7BEA Systems WebLogic Server 5.1 SP7
cpe:/a:bea:weblogic_server:5.1::express
cpe:/a:bea:weblogic_server:5.1BEA Systems WebLogic Server 5.1
cpe:/a:bea:weblogic_server:6.0:sp1:express
cpe:/a:bea:weblogic_server:5.1:sp11:expressBEA Systems WebLogic Express 5.1 SP11
cpe:/a:bea:weblogic_server:5.1:sp8BEA Systems WebLogic Server 5.1 SP8
cpe:/a:bea:weblogic_server:5.1:sp8:expressBEA Systems WebLogic Express 5.1 SP8

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1030
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1030
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-148
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5159
(VENDOR_ADVISORY)  BID  5159
http://www.iss.net/security_center/static/9486.php
(VENDOR_ADVISORY)  XF  weblogic-race-condition-dos(9486)
http://online.securityfocus.com/archive/1/281046
(UNKNOWN)  BUGTRAQ  20020708 KPMG-2002029: Bea Weblogic Performance Pack Denial of Service
http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2Fadvisory_BEA02-19.htm
(UNKNOWN)  CONFIRM  http://dev2dev.bea.com/resourcelibrary/advisoriesdetail.jsp?highlight=advisoriesnotifications&path=components%2Fdev2dev%2Fresourcelibrary%2Fadvisoriesnotifications%2Fadvisory_BEA02-19.htm
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0008.html
(UNKNOWN)  VULNWATCH  20020708 [VulnWatch] KPMG-2002029: Bea Weblogic Performance Pack Denial of Service

- 漏洞信息

BEA Systems WebLogic Express竞争条件远程拒绝服务漏洞
低危 未知
2002-10-04 00:00:00 2005-05-02 00:00:00
远程  
        
        BEA Systems WebLogic Server是一款企业级别的WEB和无线应用服务程序,BEA WebLogic Express是为WEB和无线应用程序的动态数据进行服务的平台,可使用在多种Linux/Unix操作系统中,也可以使用在Windows操作系统下。
        BEA WebLogic Express代码中存在竞争条件漏洞,远程攻击者可以利用这个漏洞进行拒绝服务攻击。
        如果BEA WebLogic Express中的性能捆绑(performance pack)功能开启的情况下,攻击者可以提交大量的数据连接,可导致由于NTDLL.DLL产生错误而使服务崩溃,停止对正常通信的响应。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用如下方法关闭性能捆束(performance pack)功能:
        1,启动Weblogic Server控制台。
        2,在导行树中打开Servers文件夹。
        3,在Servers文件夹中选择你的服务器。
        4,选择Configuration标签。
        5,选择Tuning标签。
        6,如果"Native IO Enabled"被选中,请撤消选中。
        7,点击Apply。
        8,重启动你的服务器。
        厂商补丁:
        BEA Systems
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Bea Systems WebLogic Server for Win32 5.1 SP 9:
        Bea Systems WebLogic Express for Win32 5.1 SP 9:
        Bea Systems WebLogic Express for Win32 5.1 SP 8:
        Bea Systems WebLogic Server for Win32 5.1 SP 8:
        Bea Systems WebLogic Server for Win32 5.1 SP 7:
        Bea Systems WebLogic Express for Win32 5.1 SP 7:
        Bea Systems WebLogic Express for Win32 5.1 SP 6:
        Bea Systems WebLogic Server for Win32 5.1 SP 6:
        Bea Systems WebLogic Server for Win32 5.1 SP 5:
        Bea Systems WebLogic Express for Win32 5.1 SP 5:
        Bea Systems WebLogic Express for Win32 5.1 SP 4:
        Bea Systems WebLogic Server for Win32 5.1 SP 4:
        Bea Systems WebLogic Server for Win32 5.1 SP 3:
        Bea Systems WebLogic Express for Win32 5.1 SP 3:
        Bea Systems WebLogic Express for Win32 5.1 SP 2:
        Bea Systems WebLogic Server for Win32 5.1 SP 2:
        Bea Systems WebLogic Express for Win32 5.1 SP 12:
        BEA Systems Patch CR080901_510sp12.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_510sp12.zip
        Bea Systems WebLogic Server for Win32 5.1 SP 12:
        BEA Systems Patch CR080901_510sp12.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_510sp12.zip
        Bea Systems WebLogic Server for Win32 5.1 SP 11:
        Bea Systems WebLogic Express for Win32 5.1 SP 11:
        Bea Systems WebLogic Express for Win32 5.1 SP 10:
        Bea Systems WebLogic Server for Win32 5.1 SP 10:
        Bea Systems WebLogic Express for Win32 5.1 SP 1:
        Bea Systems WebLogic Server for Win32 5.1 SP 1:
        Bea Systems WebLogic Server for Win32 5.1:
        Bea Systems WebLogic Express for Win32 5.1:
        Bea Systems WebLogic Server for Win32 6.0 SP 2:
        BEA Systems Patch CR080901_60sp2rp3.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_60sp2rp3.zip
        Must have rolling patch 3 installed.
        Bea Systems WebLogic Express for Win32 6.0 SP 2:
        BEA Systems Patch CR080901_60sp2rp3.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_60sp2rp3.zip
        Must have rolling patch 3 installed.
        Bea Systems WebLogic Express for Win32 6.0 SP 1:
        Bea Systems WebLogic Server for Win32 6.0 SP 1:
        Bea Systems WebLogic Server for Win32 6.0:
        Bea Systems WebLogic Express for Win32 6.0:
        Bea Systems WebLogic Server for Win32 6.1 SP 3:
        BEA Systems Patch CR080901_61sp3.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_61sp3.zip
        Bea Systems WebLogic Express for Win32 6.1 SP 3:
        BEA Systems Patch CR080901_61sp3.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_61sp3.zip
        Bea Systems WebLogic Server for Win32 6.1 SP 2:
        Bea Systems WebLogic Express for Win32 6.1 SP 2:
        Bea Systems WebLogic Express for Win32 6.1 SP 1:
        Bea Systems WebLogic Server for Win32 6.1 SP 1:
        Bea Systems WebLogic Server for Win32 6.1:
        Bea Systems WebLogic Express for Win32 6.1:
        Bea Systems WebLogic Express for Win32 7.0:
        BEA Systems Patch CR080901_70.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_70.zip
        Bea Systems WebLogic Server for Win32 7.0:
        BEA Systems Patch CR080901_70.zip
        ftp://ftpna.bea.com/pub/releases/security/CR080901_70.zip

- 漏洞信息

5025
BEA WebLogic Server and Expres Performance Pack Race Condition DoS
Denial of Service
Loss of Availability

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-04-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站