Vigil@nce: Sun Calendar Server, denial of service of logging
June 2008 by Vigil@nce
SYNTHESIS
When Access Logging is enabled, an attacker can stop Sun Java
System Calendar Server.
Gravity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 18/06/2008
Identifier: VIGILANCE-VUL-7901
IMPACTED PRODUCTS
– Sun Java System Calendar Server [confidential versions]
– Sun ONE Calendar Server [confidential versions]
DESCRIPTION
The "service.http.commandlog.all" option of cal/config/ics.conf
file is used to log HTTP requests. The documentation indicates
that this option should not be used during production runtime
(fill up the log file and could degrade performance).
When this option is enabled, an attacker can send a malformed HTTP
query in order to stop Sun Java System Calendar Server.
Technical details are unknown.
CHARACTERISTICS
Identifiers: 235521, 6622866, BID-29763, VIGILANCE-VUL-7901