COMMAND

	Weblogic server DoS

SYSTEMS AFFECTED

	Bea Weblogic Server 6.1 Service Pack 1 for Windows NT/2000

PROBLEM

	Peter Gründl of KPMG Danemark reported in BUG-ID [2002003] :
	

	When the  Weblogic  server  receives  a  .jsp  request,  it  invokes  an
	external compiler to deal with the .jsp ressource requested. The  server
	can be fooled into thinking you are requesting a  valid  .jsp  ressource
	by simply requesting a DOS-device (such as eg. aux)  and  appending  the
	.jsp extension to it (aux.jsp). The external compiler  is  then  invoked
	and due to the nature of the  DOS-devices,  this  working  thread  never
	finishes.
	

	The server can handle about  a  10-11  working  threads,  so  when  this
	number of active threads has been reached, the  server  will  no  longer
	service any requests. Since both HTTP and HTTPS are handled by the  same
	module, both are crippled if one is attacked.

SOLUTION

	Vendor issued bug id CR062542. Pacth is  \"Service  Pack  2\"  available
	from :
	

	http://commerce.beasys.com