※ 本文转录自 [Lan] 信箱 作者: [email protected] (TWCERT/CC Fellows) 标题: 【TWCERT/CC安全通报】 TW-CA-2005-044-[Sun(sm) 时间: Mon Apr 18 11:30:04 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-044-[Sun(sm) Alert Notification #57760: Sun Java System Web Server Denial-of-Service Vulnerability] ──────────────────────────────────────── TWCERT/CC发布日期：2005-04-18 原漏洞发布日期：2005-04-13 原漏洞最新更新日期：2005-04-14 通用安全漏洞编号： 分类：Dos 来源参考：Sun(sm) Alert Notification #57760 ──── 简述 ───────────────────────────────── ──── 说明 ───────────────────────────────── Sun Java System Web Server (之前称为Sun ONE Web Server and iPlanet Web Server) 的某些版本存在一个安全弱点，可能允许远端使用者将网路伺服器变成无回应状态，这是 一种阻断服务攻击。 ──── 影响平台 ─────────────────────────────── 此议题可能影响下列发行版本： ．Sun Java System Web Server 6.0 Service Pack 7 和更早之前的版本(仅Windows平台) 注意： 1.Sun Java System Web Server versions 6.1.x 版本不受本议题影响。 2.本安全议题仅发生在执行 Sun Java System Web Server 的 Windows 平台。 ──── 修正方式 ─────────────────────────────── 暂时解决方法： 要暂时解决本安全议题所述的问题，可暂时关闭 Web Server instances 的 Java (通常 Java 的预设值是处於启动状态)，要完成此一动作可依下列步骤进行： 开始 Admin Server instance 之後，开启视窗命令提示并输入下列的指令来启动或停止 Admin Server： 1) 更换 Web Server Admin Server 的安装目录，例如使用预设目录： % cd \Sun\Webserver\https-admserv 2) 开启 Web Server Admin Server 程序： % startsvr.bat 或是 1. 从 "Start" > "Programs" 选择使用选单，或是双击(Double-click) Start Web Server Administration Server 的图示(假如有安装在桌面上)，之後： 2. 从网页上输入 http://＜hostname＞:＜Port＞ 并登入管理工具。 3. 选择 Admin Server instance 并点择 "Manage" 按钮。 4. 点选 "Java" 标签并开启 "Enable/Disable Servlet/JSP" 的连结。 5. 取消选择 "Enable Java Globally" 6. 点选 "OK" 与 "Apply All Changes" 後重新启动 instance 。 注意：假如您以此方式关闭 Java ，则您的 instance 将不会再执行 java ，如此暂时解 决方法不适合您的环境，建议升级至最新的 service pack ，关於 service pack 下载的 资讯可利用 "解决方法" 一节的连结。 解决方法： 此议题已於下列版本中解决： Sun Java System Web Server 6.0 Service Pack 8 以及更新的版本 Sun Java System Web Server 6.0 Service Pack 8 可於下列网址下载： -http://wwws.sun.com/software/download/products/40968fe6.html ──── 影响结果 ─────────────────────────────── 伺服器会变成无回应状态。 ──── 联络TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: [email protected] URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Sun Java System Web Server Denial-of-Service Vulnerability] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification Sun Alert ID: 57760 Synopsis: Sun Java System Web Server Denial-of-Service Vulnerability Category: Security Product: Sun Java System Web Server BugIDs: 4852204 Avoidance: Upgrade State: Resolved Date Released: 13-Apr-2005 Date Closed: 13-Apr-2005 Date Modified: 1. Impact A vulnerability in certain releases of the Sun Java System Web Server (formerly Sun ONE Web Server and iPlanet Web Server) may allow a remote user to cause the web server to become unresponsive, causing a Denial-of-Service (DOS) condition. 2. Contributing Factors This issue can occur in the following releases: Sun Java System Web Server 6.0 Service Pack 7 and earlier (Windows platforms only) Notes: Sun Java System Web Server versions 6.1.x are not affected by this issue. This issue only affects Sun Java System Web Servers running on the Windows platform. 3. Symptoms The server becomes unresponsive. Solution Summary Top 4. Relief/Workaround To work around the described issue, sites may wish to temporarily disable Java for all Web Server instances (Java is enabled by default), by doing the following : To start an Admin Server instance, open a Windows command prompt and use the command line to start or stop an Admin Server, as in the following example: 1) Change to the installation directory for the Web Server Admin Server. For example, using the default directory: % cd \Sun\Webserver\https-admserv 2) Start the Web Server Admin Server process: % startsvr.bat or, 1. Use the menu from the "Start" then "Programs" selections, or Double-click the "Start Web Server Administration Server" icon (if installed on the Desktop), then: 2. Log in to the admin tool by going to the http://＜hostname＞:＜Port＞ 3. Select the Admin Server instance and click the "Manage" button. 4. Click the "Java" tab and open the "Enable/Disable Servlet/JSP" link 5. Uncheck "Enable Java Globally" 6. Click "OK" and "Apply All Changes" then restart the instance Note: If you disable Java in this fashion, you will no longer be able to run Java applications for that instance. It is recommended to upgrade to the latest service pack if the workaround is unsuitable for your environment. Please use the link below in "Resolution" for Service Pack download information. 5. Resolution This issue is addressed in the following releases: Sun Java System Web Server 6.0 Service Pack 8 and later Sun Java System Web Server 6.0 Service Pack 8 is available for download at http: //wwws.sun.com/software/download/products/40968fe6.html. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQmMpFacyQYefg2/NAQHTtwf9GB8NyTj3izvWcsuzmdEve+x6RlUzs/tJ etaeSkww1mYDZYvbMszJxI6f6eTxlepXknQQCaFiXvf/3KGiTyusXIsstn8ZhYkC SPPbAIfVsHv9z6iYcTnJ8oVspz40a9OcEbdLksdVCy4/TQ+RrSKHQdXgL0E1WQER IOjwGx3Nsw+nncLJoolnEagaC2+06qQBMyiUSysBk5H8udOSK9zwFUknqdOznn01 LY+/GBjn1YHb8YMutUbU4qyAg4zWXC8G4y/qLZxdnaSmt3iOk/lZiPcEmpMPnKxi /ujuHXjIlSmhBug6mqONRKsf2kxDvcXUly6jm3VeHPG20yiZaDf/FQ== =PA7Z -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : [email protected] and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm