【TWCERT/CC安全通報】TW-CA-2005-044-[Sun(sm) Alert Notification

看板NetSecurity (資安資訊安全)作者Lan.時間20年前 (2005/04/19 11:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

※ 本文轉錄自 [Lan] 信箱作者: twcert@cert.org.tw (TWCERT/CC Fellows) 標題: 【TWCERT/CC安全通報】 TW-CA-2005-044-[Sun(sm) 時間: Mon Apr 18 11:30:04 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-044-[Sun(sm) Alert Notification #57760: Sun Java System Web Server Denial-of-Service Vulnerability] ──────────────────────────────────────── TWCERT/CC發布日期：2005-04-18 原漏洞發布日期：2005-04-13 原漏洞最新更新日期：2005-04-14 通用安全漏洞編號：分類：Dos 來源參考：Sun(sm) Alert Notification #57760 ──── 簡述 ───────────────────────────────── ──── 說明 ───────────────────────────────── Sun Java System Web Server (之前稱為Sun ONE Web Server and iPlanet Web Server) 的某些版本存在一個安全弱點，可能允許遠端使用者將網路伺服器變成無回應狀態，這是一種阻斷服務攻擊。 ──── 影響平台 ─────────────────────────────── 此議題可能影響下列發行版本：．Sun Java System Web Server 6.0 Service Pack 7 和更早之前的版本(僅Windows平台) 注意： 1.Sun Java System Web Server versions 6.1.x 版本不受本議題影響。 2.本安全議題僅發生在執行 Sun Java System Web Server 的 Windows 平台。 ──── 修正方式 ─────────────────────────────── 暫時解決方法：要暫時解決本安全議題所述的問題，可暫時關閉 Web Server instances 的 Java (通常 Java 的預設值是處於啟動狀態)，要完成此一動作可依下列步驟進行：開始 Admin Server instance 之後，開啟視窗命令提示並輸入下列的指令來啟動或停止 Admin Server： 1) 更換 Web Server Admin Server 的安裝目錄，例如使用預設目錄： % cd \Sun\Webserver\https-admserv 2) 開啟 Web Server Admin Server 程序： % startsvr.bat 或是 1. 從 "Start" > "Programs" 選擇使用選單，或是雙擊(Double-click) Start Web Server Administration Server 的圖示(假如有安裝在桌面上)，之後： 2. 從網頁上輸入 http://＜hostname＞:＜Port＞並登入管理工具。 3. 選擇 Admin Server instance 並點擇 "Manage" 按鈕。 4. 點選 "Java" 標籤並開啟 "Enable/Disable Servlet/JSP" 的連結。 5. 取消選擇 "Enable Java Globally" 6. 點選 "OK" 與 "Apply All Changes" 後重新啟動 instance 。注意：假如您以此方式關閉 Java ，則您的 instance 將不會再執行 java ，如此暫時解決方法不適合您的環境，建議升級至最新的 service pack ，關於 service pack 下載的資訊可利用 "解決方法" 一節的連結。解決方法：此議題已於下列版本中解決： Sun Java System Web Server 6.0 Service Pack 8 以及更新的版本 Sun Java System Web Server 6.0 Service Pack 8 可於下列網址下載： -http://wwws.sun.com/software/download/products/40968fe6.html ──── 影響結果 ─────────────────────────────── 伺服器會變成無回應狀態。 ──── 聯絡TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: twcert@cert.org.tw URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Sun Java System Web Server Denial-of-Service Vulnerability] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification Sun Alert ID: 57760 Synopsis: Sun Java System Web Server Denial-of-Service Vulnerability Category: Security Product: Sun Java System Web Server BugIDs: 4852204 Avoidance: Upgrade State: Resolved Date Released: 13-Apr-2005 Date Closed: 13-Apr-2005 Date Modified: 1. Impact A vulnerability in certain releases of the Sun Java System Web Server (formerly Sun ONE Web Server and iPlanet Web Server) may allow a remote user to cause the web server to become unresponsive, causing a Denial-of-Service (DOS) condition. 2. Contributing Factors This issue can occur in the following releases: Sun Java System Web Server 6.0 Service Pack 7 and earlier (Windows platforms only) Notes: Sun Java System Web Server versions 6.1.x are not affected by this issue. This issue only affects Sun Java System Web Servers running on the Windows platform. 3. Symptoms The server becomes unresponsive. Solution Summary Top 4. Relief/Workaround To work around the described issue, sites may wish to temporarily disable Java for all Web Server instances (Java is enabled by default), by doing the following : To start an Admin Server instance, open a Windows command prompt and use the command line to start or stop an Admin Server, as in the following example: 1) Change to the installation directory for the Web Server Admin Server. For example, using the default directory: % cd \Sun\Webserver\https-admserv 2) Start the Web Server Admin Server process: % startsvr.bat or, 1. Use the menu from the "Start" then "Programs" selections, or Double-click the "Start Web Server Administration Server" icon (if installed on the Desktop), then: 2. Log in to the admin tool by going to the http://＜hostname＞:＜Port＞ 3. Select the Admin Server instance and click the "Manage" button. 4. Click the "Java" tab and open the "Enable/Disable Servlet/JSP" link 5. Uncheck "Enable Java Globally" 6. Click "OK" and "Apply All Changes" then restart the instance Note: If you disable Java in this fashion, you will no longer be able to run Java applications for that instance. It is recommended to upgrade to the latest service pack if the workaround is unsuitable for your environment. Please use the link below in "Resolution" for Service Pack download information. 5. Resolution This issue is addressed in the following releases: Sun Java System Web Server 6.0 Service Pack 8 and later Sun Java System Web Server 6.0 Service Pack 8 is available for download at http: //wwws.sun.com/software/download/products/40968fe6.html. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQmMpFacyQYefg2/NAQHTtwf9GB8NyTj3izvWcsuzmdEve+x6RlUzs/tJ etaeSkww1mYDZYvbMszJxI6f6eTxlepXknQQCaFiXvf/3KGiTyusXIsstn8ZhYkC SPPbAIfVsHv9z6iYcTnJ8oVspz40a9OcEbdLksdVCy4/TQ+RrSKHQdXgL0E1WQER IOjwGx3Nsw+nncLJoolnEagaC2+06qQBMyiUSysBk5H8udOSK9zwFUknqdOznn01 LY+/GBjn1YHb8YMutUbU4qyAg4zWXC8G4y/qLZxdnaSmt3iOk/lZiPcEmpMPnKxi /ujuHXjIlSmhBug6mqONRKsf2kxDvcXUly6jm3VeHPG20yiZaDf/FQ== =PA7Z -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : Majordomo@cert.org.tw and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm