CVE-1999-1478

Vulnerability

The Sun HotSpot Performance Engine VM (version 1.0_fcs) contains a bug where a malformed class name beginning with the [ character triggers an internal error. An attacker can exploit this by requesting a URL such as http://www.myserver.com/servlet/[ or http://www.myserver.com/servlet/[foobar, causing the HotSpot VM to crash and the web server to terminate. This affects servers running JRun, ServletExec, IIS 4, and IIS 5 on Windows NT 4.0 x86 [1][2].

Exploitation

An attacker needs only network access to the target web server. No authentication is required. Simply sending an HTTP request with a path containing [ (e.g., /servlet/[) will cause the HotSpot VM to encounter an internal error, resulting in a crash. The server dies immediately upon receiving the request [1][2].

Impact

Successful exploitation causes a denial of service (DoS) as the web server process is terminated. The attacker does not gain code execution or data access; the sole impact is service unavailability until the server is manually restarted [1][2].

Mitigation

Sun confirmed the bug (Bug ID: 4254559) and indicated it was scheduled for a fix, but the details of a fixed version or release date are not documented in the available references. No workaround was provided. Administrators should monitor Sun's Java Developer Connection Bug Parade for a patch. As of the references, the vulnerability affects HotSpot VM 1.0_fcs [1][2].