Re: JRun 3.0 SP2 Vulnerability??

From: Jason Robertson (jasonat_private)
Date: Thu Sep 27 2001 - 13:14:01 PDT

Next message: geoff: "Re: Nimda et.al. versus ISP responsibility"

Previous message: Tracey Losco: "Second wave of Nimda?"
In reply to: Kerry Steele: "JRun 3.0 SP2 Vulnerability??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have noticed similar problems.  Actually we have a JRUN server running, and about every 30 
minutes, the jrun service actually needs to be restarted.  As I speak it just crashed again.  But 
prior to Nimba, this wasn't a problem.

Jason

On 27 Sep 2001 at 13:01, Kerry Steele wrote:

From:           	"Kerry Steele" <steele_kerryat_private>
To:             	focus-msat_private, incidentsat_private
Subject:        	JRun 3.0 SP2 Vulnerability??
Date sent:      	Thu, 27 Sep 2001 13:01:04 -0500

> Scenario:
> 
> Windows 2000 Advanced Server SP2 running IIS.
> Fully patched server, including Q301625 - the cumulative IIS patch.
> Locked down using the Microsoft IIS Lockdown Tool.
> Locked down using the HISECWEB security template.
> Locked down using the Securing IIS 5.0 Checklist.
> 
> Should not be vulnerable to Code Red or Nimda, etc. - one would think.
> 
> Now load Allaire JRun 3.0 Professional Edition with SP2.
> 
> Is it possible that this machine was infected with the Nimda virus, as the JRun
> ISAPI extension interprets all requests sent to the server?  An attempt was left
> in the event log where the Windows Protection Service prevented overwriting the
> cmd.exe file (least it's good for something) - therefore I have to assume that
> it's been compromised.
> 
> Are there any Directory Traversal, Unicode, etc. vulnerabilities for JRun 
> 3.0 SP2 that I am missing?  If not, is JRun vulnerable to the Nimda worm?  Does
> not make sense, this server was FULLY patched.
> 
> Example of a vulnerability where IIS was patched, but JRun was still 
> vulnerable:
> 
> http://www.allaire.com/handlers/index.cfm?ID=21759&Method=Full
> 
> ~~~~~~~~~~~~
> Kerry Steele
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management and tracking system
> please see: http://aris.securityfocus.com
> 
> 


---
Jason Robertson                
Network Analyst            
jasonat_private    
http://www.astroadvice.com      


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: geoff: "Re: Nimda et.al. versus ISP responsibility"
Previous message: Tracey Losco: "Second wave of Nimda?"
In reply to: Kerry Steele: "JRun 3.0 SP2 Vulnerability??"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 13:21:31 PDT