Vulnerability Type / Importance:Remote DoS / High
Problem Discovered: 16 April 2007
Vendor Contacted: 16 April 2007
Advisory Published: 29 November 2007
Abstract:
"
0000007c
" //total length of data in packet
"9955eeaa" // "magic" number
"06" // number of following bytes including null
"6d7479706500" //the text “mtype”
...etc
In the above example the number of data bytes in the packet is “0x7c”, or 124 bytes. If this value is set to zero in a packet sent to the RVD daemon then it stops responding to all subsequent communication. This appears to result from a memory leak, which continues to attempt to allocate memory. Eventually, operating system alert messages start to appear, warning that the virtual memory in the underlying operating system is running low.
Vendor & Patch Information:
TIBCO have fixed this issue in Rendezvous 8.0. The issue is documented as being fixed in the release notes as follows:
1-84MR37 - Fixed a daemon memory growth defect associated with messages of length zero
Workaround:
There are no known workarounds for this vulnerability
Tested/Affected Versions:
IRM confirmed the presence of this vulnerability in Rendezvous versions 7.5.2, 7.5.3 and 7.5.4
Credits:
Research & Advisory: Varun Uppal and Andy Davis
Disclaimer:
All information in this advisory is provided on an 'as is' basis in the hope that it will be useful. Information Risk Management Plc is not responsible for any risks or occurrences caused by the application of this information.


+44 (0) 20 7808 6420