Bug 459517 - Satellite Denial of Service when scanned with IBM AppScan
Satellite Denial of Service when scanned with IBM AppScan
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Satellite 5
Classification: Red Hat
Component: WebUI (Show other bugs)
510
All Linux
medium Severity high
: ---
: ---
Assigned To: Clifford Perry
Red Hat Satellite QA List
:
Depends On:
Blocks: 462714
  Show dependency treegraph
 
Reported: 2008-08-19 12:22 EDT by David Glaser
Modified: 2010-07-12 23:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-12 23:38:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Glaser 2008-08-19 12:22:54 EDT
Description of problem:

When running IBM AppScan against Satellite, produces a DOS to the webui when tomcat runs out of memory. 

Satellite in question is running RHEL 4 AS on 2GB memory, dual P4 Xeons 3.66GHz. 
 
Version-Release number of selected component (if applicable):

At least on Satellite 5.1

How reproducible:

Always

Steps to Reproduce:
1. Run IBM AppScan against satellite
2. Watch tomcat logs for 'out of memory errors'
3. 
  
Actual results:

DOS of webui, satellite itself remains usable

Expected results:

Satellite should continue to work normally, as AppScan reads in visible code from a given site and evaluates it for coding errors. 
 
Additional info: AppScan Version 7.7

Apparently the scanner is opening all the jsp pages located under the '5.1.0' link at the bottom of the page and keeping them open as it's trying to scan the satellite.
Comment 1 David Glaser 2008-08-19 12:50:15 EDT
The Satellite has 4GB of memory, not 2GB as stated above.
Comment 2 Clifford Perry 2009-03-24 15:42:43 EDT
Hi there, 
Since I do not have easy access (to my knowledge) to IBM AppScan, I do not have a way to replicate this. 

I would like you to please open a support ticket on this case for us to review your results and understand better what happened and why to see what changes/improvements we can make. 

Most likely we will review the satellite-debug apache log files to see pages requested, HTTP responses and other data. 

Regards,
Cliff.

Note You need to log in before you can comment on or make changes to this bug.