Red Hat Bugzilla – Bug 459517
Satellite Denial of Service when scanned with IBM AppScan
Last modified: 2010-07-12 23:38:05 EDT
Description of problem:
When running IBM AppScan against Satellite, produces a DOS to the webui when tomcat runs out of memory.
Satellite in question is running RHEL 4 AS on 2GB memory, dual P4 Xeons 3.66GHz.
Version-Release number of selected component (if applicable):
At least on Satellite 5.1
Steps to Reproduce:
1. Run IBM AppScan against satellite
2. Watch tomcat logs for 'out of memory errors'
DOS of webui, satellite itself remains usable
Satellite should continue to work normally, as AppScan reads in visible code from a given site and evaluates it for coding errors.
Additional info: AppScan Version 7.7
Apparently the scanner is opening all the jsp pages located under the '5.1.0' link at the bottom of the page and keeping them open as it's trying to scan the satellite.
The Satellite has 4GB of memory, not 2GB as stated above.
Since I do not have easy access (to my knowledge) to IBM AppScan, I do not have a way to replicate this.
I would like you to please open a support ticket on this case for us to review your results and understand better what happened and why to see what changes/improvements we can make.
Most likely we will review the satellite-debug apache log files to see pages requested, HTTP responses and other data.