Bug 459517

Summary: Satellite Denial of Service when scanned with IBM AppScan
Product: Red Hat Satellite 5 Reporter: David Glaser <dsglaser>
Component: WebUIAssignee: Clifford Perry <cperry>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: high Docs Contact:
Priority: medium    
Version: 510CC: cperry, jesusr
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-13 03:38:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 462714    

Description David Glaser 2008-08-19 16:22:54 UTC
Description of problem:

When running IBM AppScan against Satellite, produces a DOS to the webui when tomcat runs out of memory. 

Satellite in question is running RHEL 4 AS on 2GB memory, dual P4 Xeons 3.66GHz. 
 
Version-Release number of selected component (if applicable):

At least on Satellite 5.1

How reproducible:

Always

Steps to Reproduce:
1. Run IBM AppScan against satellite
2. Watch tomcat logs for 'out of memory errors'
3. 
  
Actual results:

DOS of webui, satellite itself remains usable

Expected results:

Satellite should continue to work normally, as AppScan reads in visible code from a given site and evaluates it for coding errors. 
 
Additional info: AppScan Version 7.7

Apparently the scanner is opening all the jsp pages located under the '5.1.0' link at the bottom of the page and keeping them open as it's trying to scan the satellite.

Comment 1 David Glaser 2008-08-19 16:50:15 UTC
The Satellite has 4GB of memory, not 2GB as stated above.

Comment 2 Clifford Perry 2009-03-24 19:42:43 UTC
Hi there, 
Since I do not have easy access (to my knowledge) to IBM AppScan, I do not have a way to replicate this. 

I would like you to please open a support ticket on this case for us to review your results and understand better what happened and why to see what changes/improvements we can make. 

Most likely we will review the satellite-debug apache log files to see pages requested, HTTP responses and other data. 

Regards,
Cliff.