Pages

Wednesday, February 16, 2011

WebSphere Critical Security Vulnerability - Denial of Service Security Exposure with Java JRE/JDK


Dear WebSphere Administrators,

Please patch your WAS deployments ASAP to fix a Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) (PM32387)
See http://www-01.ibm.com/support/docview.wss?uid=swg21462019#solution_dist

This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.

The security vulnerability is generic and specifically its a bug in sun.misc.FloatingDecimal.doubleValue
 See http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

This can be used as a denial of service attack against app servers, by sending the server an HTTP request containing this value in a field - if the server parses the value with parseDouble(), the thread doing the parsing will go into an infinite loop.

A hacker looks up a website and submits the string value "2.2250738585072012e-308" for a form field that expects double and parses it on the server side.  Other instances could  include an web service hosted on WAS  that take a string input from a form or a URL, and tries to convert said string to a floating point variable  Any code on the server side that does parseDouble is now compromised if hacker figures out how to trigger the parsing.

And remember ...
 ** JDK fixes are NOT dependent on the version/release of WSAS **

Oracle recently released a fix for the same
http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html


Reference:
http://www.reddit.com/r/programming/comments/fczjc/next_language_java_hangs_when_converting/
http://news.ycombinator.com/item?id=2164863
at

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.