P4
FULL PRODUCT VERSION :
java_sdk_source_6u2
ADDITIONAL OS VERSION INFORMATION :
all OS
A DESCRIPTION OF THE PROBLEM :
the java.math.BigDecimal class accepts inputs that will make the JVM unresponsive.
Any software that accepts user input is vulnerable to this attck.
The attack string may also be inadvertly created, causing the JVM to become unresponsive.
NOTE: This problem was reported almost a year ago, on Jul 30 2006, id: 764300, but has not been fixed in a very recent SDK (JDK 6 update 2). This is a very serious problem, especially in the context of web applications as you can probably imagine.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
import java.math.BigDecimal;
public class Dos {
public static void main(String[] args) throws Exception {
BigDecimal a = new BigDecimal("5");
BigDecimal b = new BigDecimal("5e912345");
BigDecimal c = a.add(b);
}
};
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Adding two numbers that are represented by short strings (9 characters) should be fast.
ACTUAL -
Running the example takes 4 minutes on intel dual core processor !
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.math.BigDecimal;
public class Dos {
public static void main(String[] args) throws Exception {
BigDecimal a = new BigDecimal("5");
BigDecimal b = new BigDecimal("5e912345");
BigDecimal c = a.add(b);
}
};
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
parse the string and make sure that the exponent is in the range -311 .. +311
java_sdk_source_6u2
ADDITIONAL OS VERSION INFORMATION :
all OS
A DESCRIPTION OF THE PROBLEM :
the java.math.BigDecimal class accepts inputs that will make the JVM unresponsive.
Any software that accepts user input is vulnerable to this attck.
The attack string may also be inadvertly created, causing the JVM to become unresponsive.
NOTE: This problem was reported almost a year ago, on Jul 30 2006, id: 764300, but has not been fixed in a very recent SDK (JDK 6 update 2). This is a very serious problem, especially in the context of web applications as you can probably imagine.
STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
import java.math.BigDecimal;
public class Dos {
public static void main(String[] args) throws Exception {
BigDecimal a = new BigDecimal("5");
BigDecimal b = new BigDecimal("5e912345");
BigDecimal c = a.add(b);
}
};
EXPECTED VERSUS ACTUAL BEHAVIOR :
EXPECTED -
Adding two numbers that are represented by short strings (9 characters) should be fast.
ACTUAL -
Running the example takes 4 minutes on intel dual core processor !
REPRODUCIBILITY :
This bug can be reproduced always.
---------- BEGIN SOURCE ----------
import java.math.BigDecimal;
public class Dos {
public static void main(String[] args) throws Exception {
BigDecimal a = new BigDecimal("5");
BigDecimal b = new BigDecimal("5e912345");
BigDecimal c = a.add(b);
}
};
---------- END SOURCE ----------
CUSTOMER SUBMITTED WORKAROUND :
parse the string and make sure that the exponent is in the range -311 .. +311