You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Zhuo Chen (JIRA)" <ji...@apache.org> on 2016/11/15 02:49:58 UTC
[jira] [Created] (TOMEE-1970) Configuration error can cause
infinite loop
Zhuo Chen created TOMEE-1970:
--------------------------------
Summary: Configuration error can cause infinite loop
Key: TOMEE-1970
URL: https://issues.apache.org/jira/browse/TOMEE-1970
Project: TomEE
Issue Type: Bug
Components: TomEE Core Server
Affects Versions: 7.0.2
Environment: All system applicable.
Reporter: Zhuo Chen
Dear Apache TomEE team,
we implemented a static analysis tool that helps enforce CERT rule FIO08-J:
https://www.securecoding.cert.org/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1
As a case study we ran the tool on Apache TomEE and found violations of
the rule.
A badly written configuration file can cause an infinite loop in the Json parser in `container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java`
This is because in `SimpleJSonParser.java `, it has several places that violate the CERT rule FIO08-J:
https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L50
https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L67
https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L88
We're not sure if this could be used for a remote denial-of-service
attack, but it definitely can result in a non-functional server.
We have written up how to reproduce the results here:
https://github.com/CharlesZ-Chen/ReadChecker/tree/master/case-study/apache-tomee
This should be an easy fix as the only work is to correct the improper casts in `SimpleJSonParser.java`.
Thanks,
Charles
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)