Most unsecured Tomcat web servers are vulnerable, who is to blame?

Question

Most unsecured Tomcat web servers are vulnerable, who is to blame?

Most Java JVMs are prone to very serious denial of service (all JVMs for Oracle / Sun up to 1.6.0_24 [this is not at the time of this writing], and this did not get the HotFix that came out yesterday, for example).

http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

Following:

curl -H 'Accept-Language: en-us;q=2.2250738585072012e-308' http://example.org

Tomcat web server lot crash on the planet.

My question is simple: who is to blame?

Apparently, getLocale() calls the (very badly) listened Double.parseDouble(...) , and then you can trivially execute the denial of service on Tomcat.

Is the error when executing Double.parseDouble(...) blame?

It seems to me that the real problem is that the HTTP specifications are using floating point numbers for something that really doesn't look very much like scientific calculations for me. Using a floating point number for such a thing seems more than strange: it is easy to prove that implementation in different languages will give different results.

So who is to blame?

Java is terribly lame (the error has been known since 10 years) implementation of Double.parseDouble(...) ?

HTTP specs? (remember that PHP got the same error).

I can understand that you blame a language if it happens with one language ... But when two remote denial of service attacks happen with two different languages due to the fact that the HTTP specifications dictate the parsing of floating point numbers for what something that is not a scientific calculation should call a bell.

Floating point numbers should only be used for scientific calculations . Unless you have floating point numbers and no epsilon, you are doing it wrong.

+7

java http tomcat

SyntaxT3rr0r Feb 11 '11 at 0:03

source share

3 answers

John bartholomew · Answer 1 · 2011-02-11T00:22:38+0000

Actually, rfc 2616 (HTTP / 1.1 specification) says:

HTTP / 1.1 applications MUST NOT generate more than three digits after the decimal point. The user configuration of these values SHOULD also be limited in this way.
 qvalue = ( "0" [ "." 0*3DIGIT ] ) | ( "1" [ "." 0*3("0") ] ) 
“Quality values” are incorrect, as these values simply represent relative degradation in the desired quality.

Please note that this limits the number of digits and does not allow the exponent. I think that any implementation will fully comply with the specification in order to ignore input data that contains more than three fractional digits and completely ignore anything with an exponent. The fact that Tomcat does not do this is not an issue with the HTTP specification.

Jerry Coffin · Answer 2 · 2011-02-11T00:16:34+0000

It is not either / or. As with many security issues, this is the result of both being to blame. If one of them did its job well enough, the problem would never have arisen.

Thorbjørn Ravn Andersen · Answer 3 · 2011-02-11T00:09:03+0000

This is a problem with the method of parsing numbers in the Java runtime library, not with Tomcat - it just uses the specified method.

Edit: The reason q is a fraction is because it allows you to use a value between two existing values that you might need when providing a value after the first assignments have occurred.

Most unsecured Tomcat web servers are vulnerable, who is to blame?

More articles: