CVE-2006-2310
CVSS5.0
发布时间 :2006-06-26 06:06:00
修订时间 :2011-03-07 21:35:56
NMCOS    

[原文]BlueDragon Server and Server JX 6.2.1.286 for Windows allows remote attackers to cause a denial of service (hang) via a request for a .cfm file whose name contains an MS-DOS device name such as (1) con, (2) aux, (3) com1, and (4) com2.


[CNNVD]BlueDragon Server/Server JX 6 多个拒绝服务漏洞(CNNVD-200606-498)

        用于 Windows 的BlueDragon Server和Server JX 6.2.1.286可以使远程攻击者借助其名称包含 (1) con, (2) aux, (3) com1和(4) com2等MS-DOS 设备名的.cfm 文件的请求,引起拒绝服务(挂起)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:new_atlanta_communications:bluedragon_server_jx:6.2.1.286::windows
cpe:/a:new_atlanta_communications:bluedragon_server:6.2.1.286::windows

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2310
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2310
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-498
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18624
(PATCH)  BID  18624
http://secunia.com/advisories/19180
(VENDOR_ADVISORY)  SECUNIA  19180
http://www.vupen.com/english/advisories/2006/2502
(UNKNOWN)  VUPEN  ADV-2006-2502
http://secunia.com/secunia_research/2006-18/advisory
(VENDOR_ADVISORY)  MISC  http://secunia.com/secunia_research/2006-18/advisory

- 漏洞信息

BlueDragon Server/Server JX 6 多个拒绝服务漏洞
中危 设计错误
2006-06-26 00:00:00 2006-12-19 00:00:00
远程  
        用于 Windows 的BlueDragon Server和Server JX 6.2.1.286可以使远程攻击者借助其名称包含 (1) con, (2) aux, (3) com1和(4) com2等MS-DOS 设备名的.cfm 文件的请求,引起拒绝服务(挂起)。

- 公告与补丁

        厂商已经发布补丁以解决此问题及其他问题。
        New Atlanta BlueDragon Server J2EE 6.2.1 .286
        临时解决方法:
        * 配置ACL限制非授权用户对Web接口的访问。
        目前厂商已经发布了相关补丁,请到厂商的主页下载:
        New Atlanta BlueDragon Server J2EE 6.2.1 .286
        New Atlanta BlueDragon.J2EE.309.zip
        ftp://ftp.newatlanta.com/public/bluedragon/6_2_1_302/patches/309/BlueD ragon.J2EE.309.zip
        New Atlanta BlueDragon Server 6.2.1 .286
        New Atlanta BlueDragon.Server.309.zip
        ftp://ftp.newatlanta.com/public/bluedragon/6_2_1_302/patches/309/BlueD ragon.Server.309.zip
        New Atlanta BlueDragon Server JX 6.2.1 .286
        New Atlanta BlueDragon.JX.309.zip
        ftp://ftp.newatlanta.com/public/bluedragon/6_2_1_302/patches/309/BlueD ragon.JX.309.zip
        

- 漏洞信息

26788
BlueDragon Server MS-DOS Device Name Request DoS
Denial of Service
Loss of Availability Patch / RCS
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-23 2006-03-19
2006-06-23 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

- 漏洞信息

BlueDragon Server .CFM Files Denial Of Service Vulnerability
Design Error 18624
Yes No
2006-06-23 12:00:00 2006-06-27 11:10:00
Tan Chew Keong of Secunia Research is credited with the discovery of this vulnerability.

- 受影响的程序版本

New Atlanta BlueDragon Server JX 6.2.1 .286
New Atlanta BlueDragon Server J2EE 6.2.1 .286
New Atlanta BlueDragon Server 6.2.1 .286

- 漏洞讨论

BlueDragon is prone to a remote denial-of-service vulnerability. This issue is due to the application's failure to efficiently handle malformed GET requests.

An attacker can exploit this issue to cause the service to stop responding, effectively denying service to legitimate users.

This issue affects version 6.2.1.286; other versions may also be vulnerable.

- 漏洞利用

Attackers use standard network utilities to exploit this issue.

The following proof-of-concept URIs are available:

- 解决方案

The vendor has released a patch to address this and other issues.


New Atlanta BlueDragon Server J2EE 6.2.1 .286

New Atlanta BlueDragon Server 6.2.1 .286

New Atlanta BlueDragon Server JX 6.2.1 .286

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站