[#DWR-482] DWR (and many many other apps) DoS - DWR

Details

Type: Task
Status: Open
Priority: Normal
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: 4.0
Component/s: Core

Documentation Required:
No

Description:

Hide
May affect some dwr code. grep for double.parse. e.g. in dwrmessage.

http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

Nasty problem. Basically an instant DOS attack, and unless your
appserver kills long-running cpu-bound threads, will require operator
intervention to restore service.

Show
May affect some dwr code. grep for double.parse. e.g. in dwrmessage. http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ Nasty problem. Basically an instant DOS attack, and unless your appserver kills long-running cpu-bound threads, will require operator intervention to restore service.

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

David Marginian added a comment - 01/Feb/11 2:56 PM

Thanks for notifying us of this but I am not seeing how this is a DWR bug. I see how it can affect web applications using DWR and I see that by wrapping Double we could get around it but ....

What are your suggestions?

Show

David Marginian added a comment - 01/Feb/11 2:56 PM Thanks for notifying us of this but I am not seeing how this is a DWR bug. I see how it can affect web applications using DWR and I see that by wrapping Double we could get around it but .... What are your suggestions?

Hide

Permalink

peter bryant added a comment - 01/Feb/11 3:29 PM

Oracle will fix. there'll be multiple exploitable vms still out there. multiple apps. overall its a pretty yucky situation. frameworks involved in parsing user inputs to double should maybe go a bit out of their way to prevent issues.

// puts java into an infinite cpu loop. scary.
if("2.2250738585072012e-308".equalsIgnoreCase(s)) { return Double.MIN_VALUE; }
return Double.parseDouble(s);

Show

peter bryant added a comment - 01/Feb/11 3:29 PM Oracle will fix. there'll be multiple exploitable vms still out there. multiple apps. overall its a pretty yucky situation. frameworks involved in parsing user inputs to double should maybe go a bit out of their way to prevent issues. // puts java into an infinite cpu loop. scary. if("2.2250738585072012e-308".equalsIgnoreCase(s)) { return Double.MIN_VALUE; } return Double.parseDouble(s);

Hide

Permalink

David Marginian added a comment - 01/Feb/11 3:38 PM

Right. I am not a huge fan of introducing this type of weird logic into the framework. I think this seems to be quite an edge case (certain JDK, certain value - which of course is now a known exploit thanks to the comment on the link you posted). Seems like you could just as easily protect against it at the application level (via a filter, etc.).

Show

David Marginian added a comment - 01/Feb/11 3:38 PM Right. I am not a huge fan of introducing this type of weird logic into the framework. I think this seems to be quite an edge case (certain JDK, certain value - which of course is now a known exploit thanks to the comment on the link you posted). Seems like you could just as easily protect against it at the application level (via a filter, etc.).

Hide

Permalink

Mike Wilson added a comment - 05/Feb/11 2:06 PM

Yes, our code does make use of Double.parseDouble and the similar Double.valueOf. Unfortunately, the fix is not so simple though, as (according to the article you supplied):

1) a range of numbers trigger the bug
It is not only hanging for 2.2250738585072012e-308.
It is hanging for any number between
2^(-1022) – 2^(-1075) and
2^(-1022) – 2^(-1076).
For example, 2.22507385850720117e-308

2) modified forms of the same number triggers the bug
0.00022250738585072012e-304 (decimal point placement)
00000000002.2250738585072012e-308 (leading zeros)
2.225073858507201200000e-308 (trailing zeros)
2.2250738585072012e-00308 (leading zeros in the exponent)
2.2250738585072012997800001e-308 (superfluous digits beyond digit 17)

So to catch the offending numbers it seems we would almost have to write our own floating point parser
Still, if there is a straight-forward and performant way to catch these we could consider adding it to LocalUtil.simpleConvert() where our double conversion takes place, with a note to remove it once we expect the world to have upgraded to newer JREs.

Show

Mike Wilson added a comment - 05/Feb/11 2:06 PM Yes, our code does make use of Double.parseDouble and the similar Double.valueOf. Unfortunately, the fix is not so simple though, as (according to the article you supplied): 1) a range of numbers trigger the bug It is not only hanging for 2.2250738585072012e-308. It is hanging for any number between 2^(-1022) – 2^(-1075) and 2^(-1022) – 2^(-1076). For example, 2.22507385850720117e-308 2) modified forms of the same number triggers the bug 0.00022250738585072012e-304 (decimal point placement) 00000000002.2250738585072012e-308 (leading zeros) 2.225073858507201200000e-308 (trailing zeros) 2.2250738585072012e-00308 (leading zeros in the exponent) 2.2250738585072012997800001e-308 (superfluous digits beyond digit 17) So to catch the offending numbers it seems we would almost have to write our own floating point parser

Still, if there is a straight-forward and performant way to catch these we could consider adding it to LocalUtil.simpleConvert() where our double conversion takes place, with a note to remove it once we expect the world to have upgraded to newer JREs.

DWR

DWR (and many many other apps) DoS

Details

Activity

People

Dates