Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Most unpatched Tomcat webservers are vulnerable, who's at fault? [closed]

Tags:

java

http

tomcat

Most Java JVMs are subject to a very severe Denial of Service (all Oracle/Sun JVMs pre 1.6.0_24 [that ain't out yet at the time of this writing] and that didn't get the HotFix that came out yesterday, for example).

http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

The following:

curl -H 'Accept-Language: en-us;q=2.2250738585072012e-308' http://example.org

crashes a lot of the Tomcat webservers on the planet.

My question is simple: who's at fault?

Apparently getLocale() calls the (very badly) bugged Double.parseDouble(...) and you can then trivially perform a Denial of Service on Tomcat.

Is the bugged implementation of Double.parseDouble(...) really at fault?

To me it looks like the real issue is that the HTTP specs are using floating-point numbers for something that really doesn't look very much like scientific computation to me. Using floating-point number for such a thing seems more than weird: it is easy to prove that implementation in different language shall give different results.

So who's at fault?

Java's terribly lame (bug was known since 10 years) implementation of Double.parseDouble(...)?

The HTTP specs? (remember that PHP suffered the exact same bug).

I can understand you blame the language if it happens with one language... But when two remote Denial of Service attacks happens to two different languages due to the fact that the HTTP specs dictate parsing of floating-point number for something that is not a scientific computation should ring a bell.

Floating-point numbers should only ever be used for scientific computations. If you don't have floating-point numbers and no epsilon, you're doing it wrong.

like image 584
SyntaxT3rr0r Avatar asked Feb 11 '11 00:02

SyntaxT3rr0r

1 Answers

Actually, rfc 2616 (the HTTP/1.1 spec) says:

HTTP/1.1 applications MUST NOT generate more than three digits after the decimal point. User configuration of these values SHOULD also be limited in this fashion.

qvalue    = ( "0" [ "." 0*3DIGIT ] )
          | ( "1" [ "." 0*3("0") ] )

"Quality values" is a misnomer, since these values merely represent relative degradation in desired quality.

Note that this limits the number of digits and does not allow an exponent. I'd think any implementation would be perfectly within the spec to disregard input that has more than 3 fractional digits, and completely ignore anything with an exponent value. The fact that Tomcat doesn't do this is not a problem with the HTTP spec.

like image 127
John Bartholomew Avatar answered Sep 28 '22 14:09

John Bartholomew
Sign in to Comment

Related questions

How to create Design QR codes with Java?
Image Comparison Techniques with Java
Exception while parsing wsdl
PreparedStatement.addBatch in java has any restrictions?
Aspectj and catching private or inner methods
Disabling space bar triggering click for JButton
Maven3 global dependency exclusion
How do I create a DateFormat with an optional time argument?
What's the best value Java object database? [closed]
What happens if you throw an Exception from inside UncaughtExceptionHandler?
improving speed of getpixel() and setpixel() on Android Bitmap
JSF2 : inject service objects to managedbean from Spring?
Conversion between different Map projections in Java
Should embeddable jpa class implement equals and hashCode?
Kill a stuck thread on a running VM (JBoss Instance) in Java?
SecurityManager for a cloud service "sandbox"
Cancelling an @Asynchronous EJB call
JAX-RS - JSON without root node
Is it impossible to make an Android game stutter-free? I am going crazy here
Insert an image into a word document in Java

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!